Unconventional Security Devices

Journal of Physical Security 7(3), 62-126 (2014)
Unconventional Security Devices*
Roger G. Johnston, Ph.D., CPP and Jon S. Warner, Ph.D.
Vulnerability Assessment Team

Argonne National Laboratory
Introduction
This paper briefly describes 33 different unconventional security devices that we have
devised and/or constructed. These devices are divided into 4 categories: tamper-
indicating seals and traps (covert seals), tags, real-time monitoring devices, and access
control techniques. Devices 1 and 25 - 33 are our newest concepts or prototypes, or the
ones we have most recently made progress on.
For each of the security devices or techniques described in this paper, we only briefly
sketch their design concept. We don’t have the space to discuss the subtler issues
associated with these devices and concepts, including details of their design, likely
vulnerabilities, or possible countermeasures. Some of these designs might not ultimately
prove practical, but we hope that discussing them might nevertheless encourage new
approaches to physical security that we believe are sorely needed.
At the start of the discussion of each device, we list 3 pieces of information: the type of
device, its current status (working prototype, patented, demonstrated, proof of principle,
concept only, etc.), and an indication of the likely level of security offered by that design,
i.e., how hard it might be to defeat. The latter is only speculation, though speculation based
on our considerable experience with conducting vulnerability assessments on many
different kinds of physical security and nuclear safegaurds devices and technologies.[1-12]
The problem with estimating levels of security is that none of these devices are fully
developed (because of a lack of funding), yet vulnerabilities depend critically on exact
details of the design, how the security product is to be used, and for what applications and
to counter what adversaries.[1,6,10]
Most of these devices could be fairly inexpensive. When we list the cost of components, it
is always in retail quantities of 1. Component costs tend to fluctuate over time (but usually
decrease), and almost always drop dramatically when purchased in volume.
__________
* This paper was not peer reviewed.
62
Seals
Tamper-indicating seals play an important role in nuclear safeguards, physical security,

IT security, and cargo security.[5,6,9,10] Seals are used to detect (after the fact)
unauthorized access to containers, packages, envelopes, records, computer media,
instrumentation, rooms, and transport vehicles. Unlike locks, seals are not meant to delay
or complicate unauthorized access, just record that it occurred. Unlike intrusion detectors,
seals do not detect unauthorized access in real-time, i.e. immediately.
Unfortunately, many (perhaps all) seals currently available are easy to spoof using rapid,
low-tech methods.[1,13-16] Better seals are both necessary and possible. Some of the
designs discussed below probably could provide better security. Some of these seals can be
used as “traps”, i.e. covert seals, where the tamper-indicating hardware is placed inside the
container or transport vehicle, with no evidence of tamper detection on the outside.
A number of these new types of seals are based on the “anti-evidence” concept discussed
in detail elsewhere.[1,13,16,17] Anti-evidence seals are designed to overcome the chief
vulnerability of conventional seals—that adversaries can often readily hide or erase the
fact that tampering was detected, or else make fresh counterfeit seals that show no
evidence of tampering. With anti-evidence seals, in contrast, secret information (called the
“anti-evidence”) is stored in or on the seal when it is first installed. This information
indicates that no tampering has yet been detected; it is immediately erased should
unauthorized access occur. The “good guys” can determine that unauthorized access
occurred by noting the absence of the anti-evidence. The “bad guys” gain nothing by
counterfeiting the seal hardware unless they can determine the secret anti-evidence. And
the act of trying to get to the secret information causes its immediate erasure.
Device #1 - Time “Lock”
Type: electronic, reusable time-out seal

Status: duplicate working prototypes
Applications: low to medium level security
Oddly, small battery-powered, padlock-size time locks do not seem to be commercially

available. All commercial time locks seem to be large and expensive, and intended for high-
level security applications.
The device shown in figure 1 is a re-usable, electronic, tamper-indicating seal we

developed that we call a “Time Lock”. We call it a “lock” because it looks like a lock and is
used somewhat like a lock, and because people (including security professionals) are often
confused about seals and tamper detection. This working prototype was developed by
modifying a commercial infrared padlock and adding an additional microprocessor and our
custom firmware and electronics.
63
Figure 1 - One of our working Time Lock prototypes. The shackle and some of the interior is metal, while the
outside is plastic. The prototype shown is 6 x 4 x 10 cm, much larger than is necessary. The prototype uses
less than $20 of parts (quantities of 1).
The device has two modes of operation. A switch in the battery compartment of the
device selects the mode. In “time-out mode”, the seal opens automatically after a set period
of time (the “countdown period”). No key or combination is necessary, so there is nothing
for the user to lose or forget, respectively. Moreover, the person who originally “locked”
the seal does not need to be present when it opens. Thus, there are also no key- or
combination-control issues associated with the use of this device.
Examples of its use might be to lock up the cookie jar to keep children from accessing it
prior to dinner, or in an office setting, to seal containers or filing cabinets when going out to
lunch.
The second mode of operation is “vault mode”. This is where the “lock” can only be
opened after a set period of time, using the fob with an infrard LED that comes with the
original commercial infrared lock. The fob transmits a unique, fixed ID number.
The length of the countdown period for the prototype shown in figure 1 is adjustable
from the battery compartment. 5 different time lengths are available, from 20 seconds (for
demonstration purposes) to several days. The final design would have more time options,
including a continuous choice of time.
Changing the mode or the time duration once the countdown period starts does not affect
the time of opening.
64
The battery strength is tested by our microprocessor prior to starting the countdown to
make sure there is sufficient power to open the lock after the countdown period. Very little
power is used during the countdown period, as the microprocessor is mostly asleep. If the
batteries go dead, the user can always insert fresh batteries and the countdown will
continue from where it stopped.
The device has various tamper-indicating and anti-counterfeiting features which are not
discussed here, nor fully implemented in the prototype.
Device #2 - Time Trap
Type: hash time trap (anti-evidence, covert tamper-indicating seal)

Status: working prototypes with 3 different designs
Applications: high level security
As discussed elsewhere in more detail[1,16,17], a Time Trap is a type of anti-evidence

seal based on the realization that unauthorized access by bad guys must occur prior to the
good guys opening the container or vehicle, and the fact that the vector of time points only
in the forward direction in the real world.
The battery-powered Time Trap prototype shown in figure 2 uses a Microchip 16F819
microprocessor (~$1.80 each), programmed in PIC BASIC Pro.
The microprocessor is programmed to compute a new hash value for each minute that
the seal is in use. (Roughly speaking, a “hash” is a fixed length number computed from a
larger number in a complex and irreversible manner.[16]) The computation uses a secret
key that is unique for each seal and each shipment. The key is chosen randomly by the seal
based on the exact microsecond when a button on the seal is pressed by the user. Knowing
the hash algorithm is of little help to an adversary if he does not also know the secret key
chosen by the seal for the current use period.
Figure 2 - One design for our working prototype Time Trap.
65
The seal can go inside a container or transport vehicle (and thus can be a Type 1 Trap),
or it can go overtly on the outside hasp. It does not require a password or reader, nor does
it have to be queried about tampering prior to opening the container or vehicle.
Once the seal detects that the container or vehicle has been opened (by either the good
guys or the bad guys), it immediately erases (< 1 µsec) the secret key used by the hash
algorithm. This erasure of this “anti-evidence” prevents an intruder from being able to
predict future hash values. After erasure, the display permanently shows the time that the
container or vehicle was opened and the hash value (2 letters of the alphabet) that
authenticates that time.
A single hash value is of no help in determining future hash values, because there is
considerable degeneracy built into the hash algorithm. There are an average of 400
different secret keys that produce the same hash value for a given time (even assuming the
adversary fully understands the hash algorithm in use). Thus, intruders will not be able to
determine what hash value will need to be on the display when the good guys later gain
access to the container or vehicle.
It turned out to be surprisingly challenging to choose a hash algorithm that has this high
degree of degeneracy, and also selects fairly uniformly from among the possible 2-letter
hashes as the secret key and the elapsed time vary. Once a suitable algorithm is found,
slight modifications can ruin its behavior. This is also something we did not expect.
The prototype shown in figure 2 reports the time and hash value via the liquid crystal
display (LCD). For this prototype, these values are read visually. The seal, however, could
easily be designed to report the time and hash remotely via (for example) radiofrequency
(rf), infrared (ir), acoustic signals, or electrical contact. Figure 3 shows an implementation
that relies on the latter.
Seal inspection after opening the the container or vehicle involves determining if the time
on the display is the correct time of opening (in absolute or relative time). Then, the 2-
letter hash is noted. To check if this hash is correct, the time of opening and the value of the
secret key can be sent back to headquarters where the hash can be computed. Alterna-
tively, the hash can be checked in the field with a computer program we have written
(figure 4), or by using a handheld device (prototype shown in figure 5).
The Time Trap has an interesting verification (“anti-gundecking”) feature. If the seal
inspectors are required to report the opening time and 2-letter hash back to headquarters,
this automatically verifies that they actually checked the seal for tampering (instead of just
claiming to have done so). They do not need a secure communications channel to do this.
While it is monitoring for intrusion, the Time Trap measures its battery voltage, and will
instantly erase the anti-evidence secret key should the battery voltage drop below a certain
threshold. This feature is needed because certain attacks on electronic seals involve
removing the battery or slowly reducing its voltage. (Battery failure cannot be reliably
distinguished from tampering in any electronic seal.) In addition, the seal monitors for
66
rapid or extreme changes in temperature that might indicate a thermal attack on the seal or
battery.
Figure 3 - This figure shows a $2 verson of the Time Trap inserted into a briefcase. It uses a light sensor to
determine when the briefcase is opened. This kind of sensor is not very effective for good security, but it is
inexpensive. A quarter in the bottom of the briefcase shows the scale. The Time Trap inside the briefcase can
be read electronically by a direct electrical connection through the briefcase.
Figure 4 - A computer program we wrote to determine the correct 2-letter hash for a given secret key (K)
and opening time. If desired, the program can run continuously, updating the hash as the time automatically
advances.
67
Figure 5 - A prototype device for computing the 2-letter hash algorithm after the secret key and the elapsed
time are entered.
To reuse the Time Trap, the device is turned off , then turned back on. It will select a new
random key based on the (unpredictable) exact microsecond that the user presses a button.
For a few more dollars in parts, the prototype Time Trap in figure 3 can simultaneously
monitor up to 14 additional sensors. When multiple sensors are used, they are polled in a
random, constantly changing order so that an adversary cannot predict when a given
sensor will be read by the seal.
We have demonstrated a number of different sensors that can work with the Time Trap.
One is a small, solid-state Hall Effect magnetic sensor (Honeywell SS94, ~$2 each). This
sensor can monitor the opening of a container lid or a truck door. A small permanent
magnet is placed on the lid or door; when opened, the Hall Effect sensor detects the change
in magnetic field caused by the movement of the magnet. Unlike simple magnetic door
switches, the Hall Effect sensor cannot be easily spoofed by just bringing another magnet
close. This is due to its high sensitivity, about 200 nanoTesla (nT). By way of comparison,
the Earth’s magnetic field at the surface is about 55,000 nT.
Changes in the magnetic vector as a moving transport vehicle changes orientation with
respect to the Earth’s field can either be ignored by raising the alarm threshold of the
sensor, or by correcting for the apparent change in the Earth’s field using a second Hall
Effect sensor located far from the magnet on the lid or door. If a magnet is placed on the
assets of interest instead of the lid or door, then the Hall Effect sensor can detect the
removal or movement of the assets if it is sufficiently close.
Another sensor that can be used with the Time Trap is a solid state tilt sensor
(accelerometer) with 0.001g resolution (MEMSIC MXD2020E/FL, ~$12.50 each). If one of
these sensors is placed on the container lid or vehicle door, and another is placed on a
68
nearby perpendicular surface, they can be compared to tell when the lid or door has been
opened as compared to jostling from overall movement of the container or vehicle.
A miniature Passive Infrared (PIR) sensor can also be used to detect the presence of
people or a hand in a container. These typically cost approximaltey $2 each and cover the
thermal ir wavelength range 7 to 14 µm. Inexpensive ultrasonic motion detectors also
work fairly reliably if used inside a closed container.
A solid state colorimetric sensor (~$2.50 each) described in the section on Device #19
(the Tie-Dye Seal) can also be very effective at detecting tampering or movement of assets,
lids, or doors.
Other possible sensors include:
hall effect magnetometer $0.85

1-wire temperature sensor $2
thermistor $0.70
force sensor $3
solid state CO2 sensor $18
IR proximity sensor $12
gyro (angular rate sensor) $22
triple axis accelerometer, $7
temp and humidity sensor $12
high-resolution 2-axis magnetometer $50
vibration sensor $2.50
Device #3 - Flashing Lights Seal
Type: password (anti-evidence) seal

Status: demonstration prototype
Applications: medium level security
Password seals are a kind of anti-evidence seal that requires the good guys to uniquely
identify themselves with a password (or PIN or mechanical combination) before the seal
will report the secret anti-evidence.[16] Both the anti-evidence and the password must be
kept secret for the duration of the cargo shipment or period of tamper monitoring.
This working prototype device shown in figure 6 is such a password, anti-evidence seal.
It typically would go on the outside of a container. At the start of each use, the seal chooses
a 4-digit password and the 4-digit anti-evidence and flashes them to the user with LED
lights.
Prior to when the seal is removed or the container or vehicle is opened, the user inputs
the password using the push buttons. The seal then responds by flashing the 4-digit anti-
evidence if the seal has not been opened, and the wrong 4-digits if it has (or the password
69
is wrong). Only 3 wrong passwords are allowed before the seal permanently erases the 4-
digit anti-evidence.
The device in figure 6 uses a light sensor, but many other kinds of intrusion sensors are
possible, as with the Time Trap.
Figure 6 - A demonstration prototype for the Flashing Lights Seal. This microprocessor-based seal uses less
than $4 of parts. It measures 5 x 4.5 x 2 cm, though it can easily be reduced in size by a factor of 5. The seal
would ordinarily go inside a light-tight seal outer case.
Device #4 - Blinking Lights Saturation Seal
Type: saturated response (anti-evidence) trap

Status: demonstration prototype
Figure 7 shows a schematic of a Saturated Response Trap [16] called the Blinking Lights
Seal. It consists of a two-dimensional array of light emitting diodes (LEDs) driven by a
programmed microprocessor. Like the Time Trap, this seal can be located inside the
container or transport vehicle being monitored for unauthorized access. In that case, it is a
Type 1 trap. It can also be used (as an overt seal) on a hasp outside the conainer or vehicle
with a slight redesign.
The device can use the same sensors as the Time Trap. Also like a Time Trap, it does not
require a password, nor does it have to be queried about tampering prior to opening the
container or transport vehicle.
70
Figure 7 - The Blinking Lights Saturation Seal. The blinking LED lights indicate whether
tampeirng has been detected by hiding this information among other extraneous blinking.
Unlike the Time Trap, however, the Blinking Lights Seal does not need to keep track of
time nor compute (or look up) hash values. Instead, when requested, the Blinking Lights
Seal unleashes a high bandwidth stream of data. Hidden somewhere in the data is one or a
few bits that represent the anti-evidence. This bit or bits tells the seal inspector whether
the container or transport vehicle has been opened previously. All the other data is just
random noise.
In the case of the prototype seal shown in figure 7, the high bandwidth data is a complex
temporal two-dimensional pattern of blinking lights. This pattern is shown only once on
demand (by pushing a button), or else repeated only a small number of times before the
pattern is permanently erased from the seal’s microprocessor. Each seal, each time it is
used for a shipment, has a different blinking pattern chosen by the microprocessor prior to
use, or downloaded to it.
The punch card shown inserted in figure 8 is one possible way for the seal inspector to
interpret the blinking lights. It is designed to slide in front of the two-dimensional array of
LEDs. (Each seal, and possibly each shipment, has a different card.) This card allows the
seal inspector to focus on (for example) just 3 of the blinking LEDs. The lack of previous
tampering can be indicated a number of different ways (otherwise tampering is indicated).
Here are just a few of the possibilities:
• All 3 of the LEDs turn on or off in unison.

• The 3 LEDs turn on and off in sequence.
• The first LED blinks once, the second one twice, the third one three times.
• If the LEDs are 3-color LEDs, they all show the same color simultaneously.
71
An adversary who does not know which of the LEDs are relevant is faced with a complex
two-dimensionally array of rapidly blinking lights. To try to hide the fact that he has
previously gained unauthorized access, he can record the complete pattern of blinking
lights, then program the original seal or a counterfeit to replay that same pattern. This is
certainly possible, but it requires at least some capability in electronics and
microprocessors, plus it may not be easy to do rapidly.
Figure 8 - The inserted punch card focuses the inspector’s attention on the only LEDs that matter.
The Blinking Light Seal has the advantage of being electronic, yet still engaging the seal
inspector in a careful visual examination of the seal. If desired, the card shown in figure 8
can be punched out just minutes before it is needed, based on information securely
transmitted to the cargo’s destination.
Ordinarily, the blinking light pattern will be displayed only when the seal inspector
pushes a button on the seal. In our demonstration prototype, however, there are 5
different buttons. Each one generates a different light pattern (but convey the same anti-
evidence). All the other patterns would then be erased once a button choice was made.
Device #5 - Talking Truck Cargo Seal

Status: working prototypes of several different designs
72
Figure 9 shows a working prototype of one type of password seal called the Talking
Truck Cargo Seal. The unit at the left is the handheld unit, which remains outside the truck
(or container) being monitored for unauthorized access. It can communicate with up to
1000 different seals using 434 MHz radiofrequency (rf) signals. The unit at the right of
figure 9 is the actual tamper-indicating seal that goes inside the truck (or container) to be
monitored. It includes a light sensor like our Time Trap, but it can also simultaneously poll
up to 12 additional intrusion sensors, including those discussed in the Time Trap section.
Figure 9 - Prototype Talking Truck Cargo Seal, with the handheld seal reader on the left.
Our prototype Talking Truck Cargo Seals were designed for a fictitious trucking company
called “Near Miss Trucking”. The anti-evidence consists of one randomly chosen slogan out
of 135 (or more) possible slogans used by Near Miss Trucking Company. These slogans are
not secret. In fact, it is advantageous if the seal inspector is quite familiar with all the
slogans. What is kept secret is exactly which slogan was chosen for each container in any
given shipment. A new, random choice of slogan is made each time a seal is reused.
Examples of the Near Miss Trucking slogans we use in our prototype (some admittedly
facetious) include:
73
• The “go” in cargo.

• We’ll make it fit!
• It’s not our fault.
• Sleep, what’s that?
• Fewer felons work for us.
• If it falls out of our truck, you can keep it.
• The center lane marker is only a suggestion.
• At least one fire extiguisher per dozen trucks.
After the container or truck is sealed up, the handheld unit in figure 9 chooses the secret,
random 4-byte password and one of the slogans. This information is transmitted
wirelessly by radio frequency (rf) to the seal inside the truck through the truck wall (even
if metal). The seal then stores it until unauthorized access is detected.
The secret password and slogan chosen by the handheld unit can be duplicated or read
out a variety of ways so that the secret information can be sent (using encryption or a
secure communications channel) to the cargo’s destination where it will be needed for seal
inspection. Alternately, the original handheld unit can be physically transported to the
cargo’s destination.
The prototype in figure 9 has the handheld unit speak the slogan through a built-in
speaker, although an earphone can also be used in noisy environments. Other possible
versions of the Talking Truck Cargo Seal could have the truck itself do the speaking. This
simply requires that a small speaker be added to the seal, or to the inside or outside wall of
the truck.
For the speaking, we use a digitally recorded human voice, rather than synthesized
speech because this makes the slogan easier to understand. The slogan is repeated 3 times
to be sure it is heard.
Only if the correct password is sent by the handheld unit to the seal in the correct rf
format AND if there was no unauthorized access, will the correct slogan be spoken at
inspection time. Otherwise, a different slogan is spoken so as not to tip off the bad guys
that their intrusion was detected. For ease of use, the inspector can check off which slogan
was heard from an alphabetized checklist of the 135 possible slogans.
Having a spoken slogan keeps the seal inspection process at a very human level. This is
advantageous from a psychological standpoint. Too often, automated high-tech seal
readers distract the seal inspector, or mentally remove him from personal involvement in
the details of the shipment. This is not conducive to good security.
With 135 possible slogans, an adversary has a 1 in 135 (0.7%) chance of guessing the
correct slogan. Then he must program the original seal or a counterfeit to say the correct
slogan when the secret password is presented. He does not get a second chance. If even
better odds are desired, up to 4000 possible slogans can be stored in the seal.
74
We also made a “food” version that says 3 different kinds of food out of 256 possibilities.
Thus, if the inspector hears, for example, “hamburger-waffles-bananas” he can be assured
there was no tampering, but if he hears 3 other foods (or nothing), then unauthorized
access is indicated. With 256 possible food choices, the odds of an adversary correctly
guessing the 3 foods in the correct order is approximately 1 in 17 million. (One
disadvantage of this design is that it tends to make the user hungry!)
Device #6 - Triboluminescent Seal

Status: U.S. patent 6,394,022 [18]
Triboluminescence is the phenomenon where a material produces light (visible,

ultraviolet, or infrared) when mechanically agitated.[19,20] (The word “tribo” means “to
rub” in Greek.) While most materials are triboluminescent to some degree when sufficient
pressure is applied, there are many compounds that can produce visible sparks in daylight
conditions when merely dragging a fingernail across them.
Some of the most strongly triboluminescent compounds include zinc sulfide (sphalerite)
doped with manganese, cholesteryl salicylate, various europium and terbium compounds
and complexes, N-isopropylcarbazole, triphenylamine, and silicon carbide
(carborundum).[19,20] Wintergreen Life Savers (powdered sugar doped with methyl
salicylate) have also been known for hundreds of years to generate sparks when crushed in
the mouth[21], though this triboluminescence is 2-3 orders of magnitude less efficient.
The idea behind the Triboluminescent Seal is that any attempt by an adversary to open,
drill, saw, cut, grind, or chemically attack the seal will produce triboluminescence. This
light can be used to trigger an erasure of the anti-evidence.[16,18]
A schematic for one possible implementation of the seal is shown in figure 10. The seal
consists of two halves (male and female) that snap together irreversibly through a hasp via
an internal C-locking ring. This locking ring is stronger than the seal material itself so that
any attempt to pry the two halves apart results in damage to the seal and the generation of
triboluminescent light. An alternate design appears in figure 11. In this case, the two seal
halves are attached by the use of tight threading. A considerable amount of light will be
generated when the seal is screwed or unscrewed. With this design, the user does not need
a special tool to open the seal, and the two seal halves can be reused.
75
Figure 10 - Cross-sectional view of one version of the Triboluminescent Seal shown assembled. The male
(bottom) and female (top) halves have been snapped together through the hasp of the container or
truck/railcar door.
76
Figure 11 - Threaded version of the Triboluminescence Seal shown prior to use. Each half of the seal is
painted on its exterior with an opaque paint or epoxy layer (and also on certain interior surfaces). This
prevents light from entering the seal and exposing the undeveloped photographic film which is located at the
bottom of the male half of the seal.
77
The two halves of the seal are made from transparent or translucent glass or plastic that
is doped with strongly triboluminescent powders. Inside the seal are two inexpensive
plastic polarizers. The first polarizer (pol 1 in figure 10) is fixed and cannot rotate. The
second polarizer (pol 2) can be rotated in a non-contact manner by rotating the magnetic
ring on the outside of the seal. We can get any orientation we want (even after the seal is
closed) for pol 2 by rotating the external magnetic ring. The ring interacts magnetically
with pol 2 to permit this non-contact rotation. There is enough friction on pol 2 to prevent
it from rotating inadvertently.
Here is one way the seal can work: Prior to sealing a container or door, we take two
identical photographs of some detailed scene using very fast (high sensitivity) film. The
film is then removed from the camera. One of the pieces of film is developed and then
placed in secure storage. The second (identical) piece of film is left undeveloped, and then
placed into the bottom of the male half of the seal. This must be done in the dark to avoid
exposing the film to light.
Next, we insert the two polarizers, again in the dark. The 2 polarizers are initially
crossed so that virtually no light passes through them because of the high extinction
coefficient. This keeps the film inside the male half of the seal safe from room light, and the
seal can then be taken out of the darkroom. (It might nevertheless be a good idea to place a
temporary cap on the male half of the seal to minimize light exposure.)
When the seal is ready for use, the two halves of the seal are snapped or screwed
together through the hasp of the container being sealed. The external magnetic ring is
rotated to orient pol 2 to some arbitrary, unpredictable angle, where it is no longer crossed
with pol 1.
Markings (or numbers) on the outside of the magnetic ring tell the seal user how much to
rotate the magnetic ring back in order to cross the polarizers when it is time to examine the
seal for signs of tampering. Unauthorized personnel, however, do not know which is the
correct orientation required for the magnetic ring to cross the two polarizers. (Each seal is
different.) The markings or numbers on the magnetic ring are thus a bit like a combination
that only authorized personnel are supposed to know.
When it is time to inspect the seal for tampering, here is the process: The seal user
rotates the external magnetic ring back to the (secret) proper orientation to cross the two
polarizers. This orientation is the secret “combination” or “password” that makes it safe to
open the seal. He/she then cuts, saws, or grinds the seal off at the female half, just above
the polarizers in figure 10, or unscrews the two halves for the figure 11 design. This will
generate considerable triboluminescent light (plus let in room light), but it won’t matter
because the cross polarizers will keep light from reaching the film.
The seal is then taken to a darkroom for analysis. A technician (in the dark) removes the
polarizes to access the piece of film. The film is then developed, and compared with the
film that has been in secure storage.
78
After being developed, the two images are compared (e.g., with a blink comparator
discussed below) to verify that they are identical and that the film coming from the seal
was not exposed to light. Because an adversary does not know what was on the film (the
image shot for each seal is completely different), he will have trouble counterfeiting the
image if he exposes the film in the seal to light. If the film in the seal has been around
intense radiation, it may be necessary to allow a correction for fogging caused by radiation
exposure.
Note that the assumption in this invention is that an adversary cannot determine the
proper orientation of pol 2 without using light that will expose the fast film. X-raying the
seal will not easily tell an adversary the polarizer orientations. The X-rays, first of all,
would fog the film. Secondly, trying to determine the molecular orientation of thin plastic
sheet polarizers from outside the seal with X-rays should be a daunting task. If desired,
barium sulfate an be added to the seal to block X-rays to further complicate X-ray imaging.
Probably a more practical and cost-effective approach would be to do away entirely with
the photographic film and polarizers. Instead, a miniature solid-state light sensor and
microprocessor is used at the location of the film. Once the seal is closed up, the light
sensor begins monitoring. When light is detected, the microprocessor instantly erases the
secret anti-evidence. The seal user (possessing the secret password) can check on the anti-
evidence via rf before opening the seal. This is similar to the Talking Truck Cargo Seal
described above. On the other hand, this microprocessor version would require a battery,
unlike the film version which is fully passive.
This seal concept can be scaled up or down. A tamper-indicating “safe” or “vault” made
of triboluminescent walls could, for example, be constructed. Other potential variations on
this seal include the use of color filters or circular polarizers (instead of linear polarizers)
so that the seal can be opened only in the presence of certain wavelengths and/or a certain
handedness of light.
Device #7 - Magic Slate Seal

Status: working prototypes of 2 different designs
Perhaps surprisingly, anti-evidence password seals do not need to be electronic. See

figure 12. The Magic Slate Seal [22] is solely mechanical, yet fully reusable. The seal is
named after the novelty toy that allows children to write or draw on a grey plastic sheet
with a plastic or wooden stick, then erase the “slate” by lifting the plastic sheet.
The Magic Slate Seal is a unique "combination" seal [16] where only the good guys know
the proper way (i.e., the combination) to open the seal without destroying the secret
information that indicates the absence of tampering. The bad guys, however, will destroy
the secret information in the processing of opening the seal.
79
Figure 12 - A prototype Magic Slate Seal that is intended to go through the hasp on a container or transport
vehicle.
The seal in figure 13 consists of a male and female half that snap together. No tools are
required to close or open the seal. The O-rings shown in figure 13 provide enough friction
to keep the seal from opening accidentally, and also protect the interior from moisture and
dirt.
Inside the seal is a cylinder with erasable writing. The cylinder can be made of metal or
else slippery plastics such as polytetrafluoroethylene or polyethylene. For this prototype, 6
different random digits or symbols are written around the circumference of the cylinder.
This is the anti-evidence.
The cylinder sits inside a larger diameter tube called the “sled”. At one end of the sled is
the eraser. This is a buna rubber and felt washer which has had a single slot cut in it, as
shown in figure 14.
To open the seal, the user rotates the male end to whatever angular position he wishes.
(See figure 14 for the end-on view.) The male and female halves are then pulled apart by
hand. The cylinder goes with the female half of the seal, while the sled goes with the male
half. In doing this, the sled drags along the outside of the cylinder, causing the eraser to
erase all the writing, except for the digit or symbol that aligns with its slot. As a result, all
but one of the digits or characters written on the cylinder gets erased. The erased “anti-
evidence” is no longer available to an adversary to counterfeit.
80
Figure 13 - Exploded view of a different prototype Magic Slate Seal.
Figure 14 - End-on view of a prototype Magic Slate Seal.
The seal inspector can report the letter (that is, the angular position in figure 14) where
he opened the seal, and the digit or symbol that was left on the cylinder. If the seal was
previously opened by the bad guys at a different letter, or the writing incorrectly
counterfeited, the digit or symbol left on the cylinder will be wrong or missing.
Alternatively, the seal inspector can be told in advance at what letter to open the seal,
and what digit or symbol he should then see on the cylinder.
There are several options for reusing the seal:
1. If desired, the seal inspector can re-close the seal, keeping the correct letter aligned. He
then would randomly rotate the knob. The seal can then be checked again at a later date
81
for tampering. (Although 5 of the 6 digits would have been erased for the prototype shown
in figures 13 and 14, we don't care, since we are only interested in one of the digits, and
which one that is will be kept a secret.)
2. The user can discard the cylinder (or return it to the factory for reuse) and open a blister
pack with a fresh cylinder previously printed at the factory.
3. The original cylinder can be reused in the field by writing new random digits or symbols
on the cylinder by hand.
4. The user can print new random digits or symbols on the cylinder using a small ink
printer or a one-time use “carbon” paper provided by the seal manufacturer.
We found it most effective to use “white board” dry erase markers for the erasable
writing in our prototypes because a great deal of engineering has gone into making the
“ink” completely erasable, even many months after being applied to a surface. Dry erase
markers are also quite inexpensive. Other types of erasable “inks” are also possible,
however, including carbon black and frangible paints such as Torque Seal (Organic
Products Company, Irving, Texas). Pre-oiling the cylinder prior to applying the writing
enhances the erasability of most inks.
Note that with the prototype shown in figures 13 and 14, the adversaries have a 1 in 6
chance of opening the seal at its correct angular position. (This is because there are 6 letter
positions on the end of the male half of the seal in figure 14.) They do not get a second
chance if they guess wrong.
If better odds are desired than 1 in 6, the Magic Slate Seal can be designed much like the
common bicycle lock shown in figure 15. There would be 3-5 different rings that the user
would rotate (instead of just the male end of the seal). Only if the slots in all the rings
correctly lined up would the erasable writing be safe from destruction when the seal was
opened.
Figure 15 - A commercial 4-digit combination lock that uses alignment slots. Each of the 4 disks has an
internal slot. Only when the slots align (at the correct combination) will the lock open. This type of design
could be used to increase the number of possible "combinations" for the Magic Slate seal, though a more
secure design would be necessary than exists on this inexpensive bicycle lock.
82
Device #8 - Skunk Seal
Type: novel conventional seal

Status: concept
Applications: low to medium level security.
The skunk seal concept is based on using the human sense of smell to detect if a seal has
been opened. For this seal, a semi-volatile chemical which has a strong, definitive odor at
low concentrations is placed inside the seal. Many odorous chemicals can be detected and
identified by the nose at part-per-billion (ppb = 10-9) to part-per-million levels. [23] For
example, mercaptans, which are often added to natural gas as a safety measure to impart
an odor (and used by skunks as a defensive measure) can typically be detected at
concentrations of a few ppb. Pleasant odors could also be used.
When the seal is opened, a small chamber or vial containing the liquid chemical is
ruptured. Alternately, microencapsulated forms of the chemical (“Scratch-n-Sniff”
technology) could be crushed to release the chemical vapor.[24] Yet another approach is to
let two chemicals react when the seal is opened to produce the odor of interest.
Whatever the odor-generating mechanism, the vapor would be allowed to escape slowly
through microscopic holes in the seal. If the chemical—either prior to rupturing the
chamber/vial or after—is allowed to soak into a porous membrane, fabric, or material with
large surface area, deep capillaries, and/or fissures (such as porous Vycor glass[25]), the
smell will persist for some time. If designed correctly, an adversary would have difficulty
rinsing out the seal sufficiently to mask the odor, especially if the interior of the seal, or
printing on it, was designed to dissolve in water or other liquids.
Replacing the seal with a counterfeit, on the other hand, leaves the adversary with the
problem of putting enough of the correct chemical (which might not be easy to identify
without high-tech methods) into the counterfeit seal to provide a strong odor when the seal
inspector opens the seal. He might also try to capture enough of the released odor from the
original seal to load up the counterfeit seal, but that might be challenging, especially
outdoors.
Inspection involves sniffing the seal prior to opening it to be sure no odor is present, then
opening the seal, followed by sniffing it again to be sure the correct odor gets generated. (If
not, the seal is probably a counterfeit, or else has previously been opened and “aired out”
for a long time.) A companion “Scratch-n-Sniff” sticker (kept separately by the seal
inspector) could help him recognize the correct odor in the field.
An adversary might be tempted to chill the seal so that the chemical freezes and its vapor
pressure drops to nearly zero. When the seal eventually warms up, however, the chemical
will start to vaporize. Moreover, it should be possible to design the seal so that the
chamber or vial contains water (or a water/anti-freeze solution) and fractures when
excessively chilled due to the expansion of the liquid as it freezes. This would release the
scent chemical.
83
If the exact smell used for each seal was kept secret, adversaries would not know in
advance which chemical to expect. The seal inspector could report to headquarters what
he/she smelled when the seal was opened (strawberry, vanilla, toluene, mercaptans, etc.),
perhaps by matching with a number of “Scratch-n-Sniff” stickers. In this way, headquarters
would know that the seal was actually inspected.
It is also possible to use commercial, hand-held, battery-powered organic vapor

detectors instead of the human nose. Units that cost between $200 and $6000 can
(depending on the chemical) typically detect concentrations in air 1 to 2 orders of
magnitude lower than can be detected by the sense of smell. Such instrumentation,
however, complicates the inspection process. It also removes the inspector from direct
interaction with the seal—something that is not conducive to optimal security.
Device #9 - Anti-Evidence Skunk Seal

Status: concept
It should be possible to design the Skunk Seal as an anti-evidence, password seal (either
mechanical or electronic). The correct password or mechanical combination would be
needed to safely open the seal without releasing the odor. (If the seal was mechanical
instead of electronic, it might be designed similar to the mechanical Magic Slate Seal
discussed above.) The seal could then be opened multiple times by the good guys without
releasing the odor. In effect, the lack of odor is the “anti-evidence”[16] that gets “erased”
when the odor is generated by the act of opening the seal.
Device #10 - Inverse Skunk Seal

Status: concept
If a highly volatile chemical is placed in the skunk seal, instead of a semi-volatile chemical
as described above, the inverse approach can be used. When the seal is opened, the
chemical will be released and rapidly evaporate away, leaving no smell when the seal is
later opened by the seal inspector. In this case, the absence of the correct smell indicates
tampering.
Device #11 - Anti-Evidence Inverse Skunk Seal
84
Status: concept
The inverse skunk seal can be designed so that the correct password or combination
would allow the good guys to safely open the seal multiple times without releasing the
volatile chemical.
Device #12 - MagTag
Type: complexity (anti-evidence) seal (and tag)

Status: U.S. patent 6,784,796 [26]; demonstrated with various prototypes
Applications: medium to high level security; can monitor volumes, not just
portals as with conventional seals
Figure 16 - The MagTag concept. A complex arrangement of randomly oriented permanent magnets of
varying strengths creates a very complex magnetic field outside the container. This will change if one or
more of the magnets is moved or rotated.
The MagTag seal is based on the fact that DC (constant) magnetic fields, such as those
generated by permanent magnets, are virtually unattenuated by most materials including
wood, plastic, water, concrete, soil, and only weakly attenuated by most metals. Thus, if we
place permanent magnets randomly throughout the interior volume of a container (or
transport vehicle), we can tell—from the outside—if they have been removed or slightly
moved based on changes in the external magnetic vector field generated by the magnets.
At each point in space, the magnetic field is the vector sum of the magnetic fields of all the
magnets.
For a sufficiently complex configuration of magnets inside the container, an adversary

can’t restore the original magnetic vector field (at all points in space) with a different
configuration. See figure 16. In other words, a tamperer must put the magnets back
85
exactly the way he found them, with the same magnetic strength, 3-dimensional (3D)
location, and orientation, or the tampering will be detected. Depending on the strength of
the magnets and the distance from the gaussmeter (magnetometer), the 3D positions and
orientations of the magnets may need to be replicated with considerable accuracy.
The more magnetic field measurements that the seal inspector can make at different
points in space (including out of the horizontal plane), the more difficult it is for an
adversary to counterfeit the magnetic field readings. If these point are kept secret, the
tamperer will have even greater difficulty. For routine applications, measurements at one
or two different points in space outside the container (or transport vehicle) are probably
sufficient. For better security, measurements should be made at 3-8 locations. Kinematic
mounts can be used to accurately position the gaussmeter probe. (See the discussion about
kinematic mounts in the section entitled, “Device #20 - Adhesive Label Seal with Blink
Comparator”.)
For this kind of approach, it is important that the cargo be well tied down. Otherwise,
movements of the magnets due to cargo shifting will be misinterpreted as tampering.
Note that rare earth magnets (the strongest kind of permanent magnet) are very brittle.
If they are well epoxied to the cargo, or to containers or pallets inside the cargo area, an
adversary may find it challenging to remove them for reuse without causing damage. We
have also designed mechanical “hysteresis” mounts that make it difficult to exactly
reposition a container or its lid once the container has been moved or opened.
There is a way, however, to obtain even better tamper detection. If we design a magnet
to move irreversibly when the transport vehicle’s door is opened or closed, or when the
cargo is moved, or when a container lid is removed, then it will be even harder for a
tamperer to escape detection. We have successfully demonstrated such “chaotic
scrambling mechanisms” on doors, filing cabinets, and drawers.[26] These randomize the
magnet’s orientation and sometimes also its position. To avoid detection, an adversary
may need to put the magnet back to within a few µmeters and arc-seconds of orientation,
especially if we can get the gaussmeter close to the magnet. The adversary cannot simply
glue down the magnet in its correct location and orientation, because this would keep it
from moving the next time the door or lid is opened. Simple capture mechanisms
guarantee that a magnet will become trapped in place when the door, drawer, or container
is fully closed and thus will not move during transport (unless tampering occurs).
For either the static magnet application, or the chaotically scrambled magnets, the
magnetic field can be measured outside the container or transport vehicle using
commercial handheld, battery-powered room-temperature gaussmeters (1 nT resolution
along 3 axes, ~$5000), with commercial magnetometer sensors (10-100 nT resolution
along 2 axes, ~$20), or with solid-state Hall Effect sensors (~200 nT resolution, ~$2)
mentioned in the section on the Talking Truck Cargo Seal.
With the most sensitive commercial, room-temperature gaussmeter, a single rare earth
magnet (residual induction=13300 gauss) of cylindrical dimensions 2.5 cm in diameter by
86
2.5 cm long (~$7 each) can be detected—or its absence noted—from 5 meters away, even
through a container, truck, or transportainer wall.[27] Larger magnets can be detected at
even greater distances. Table 1 shows the sensitivity to translation and rotation for this
same 2.5 cm x 2.5 cm cylinder magnet, assuming 20 nT sensitivity, for various distances
from the gaussmeter. When it is possible to get to within a few cm of the magnet, as will be
the case when a single magnet is applied to a door or a container lid, the magnet can be
quite small and of about the same strength as a refrigerator magnet.
Table 1 - Sensitivity to translation and rotation of a rare earth magnet, 2.5 cm in diameter and 2.5 cm in
length, assuming 20 nT resolution.
distance from minimum detectable minimum detectable

magnet (meters) magnet displacement* magnet rotation
0.20 0.1 µm 0.6 arc mins
0.25 11 µm 0.9 arc mins
0.50 160 µm 7 arc mins
1.0 2.6 mm 0.9°
1.5 1.3 cm 2.9°
2.0 4 cm 6.8°
________________________
* Along a line between the magnet and the gaussmeter.
Neither the orientation of a transport vehicle with respect to the Earth’s magnetic field,
nor the naturally occurring drifts in the Earth’s field (typically < 1% in magnitude and 0.1°
orientation per year) need concern us. This is because we can make a quick calibration
measurement of the background field before measuring the MagTag magnet(s). AC
magnetic fields from motors and electrical equipment also present no problem because we
are making DC measurements.
Some of the attractive attributes of MagTag include:
• There is nothing outside the closed container to suggest tamper detection. The
magnetometer or gaussmeter can be taken away between measurements; it is not
necessary to monitor the magnetic field continuously.
• We can “read” the tag/seal as many times as we want from the outside without
having to open the container or transport vehicle.
• No electrical power or batteries are needed until we wish to check the MagTag, and
then only for the seal reader (the gaussmeter/magnetometer).
87
• The (rare earth) permanent magnets are reusable, relatively inexpensive, and will
last for decades.
• In addition to detecting tampering, the arrangement of magnets also serves as a kind

of tag to uniquely identify the container or transport vehicle, or its contents.[26,27]
Device #13 - Tempered Glass Seal

Status: U.S. patent 6,553,930 [28]; partially working prototypes have been
constructed
It is unfortunate that glass has been largely overlooked for use in tamper detection. Glass
has many desirable properties including:
• inexpensive
• full transparency (so the interior of the seal can be inspected without
opening it)
• chemical inertness (thus outstanding resistance to corrosion and aging)
• resistance to ultraviolet light & ionizing radiation
• can handle temperature extremes
• relatively light weight
• great strength and hardness (though considerable brittleness)
• ability (in tempered glass) to store enormous stresses that can be released
when the glass is cut or drilled, thus severely damaging the glass; this can
be a very successful tamper-detecting mechanism
• can be tricky to repair in the field
• is an electrical insulator, making it safe to use around electricity
• each batch of glass has a unique chemical “fingerprint” due to trace
impurities
• requires glass blowing skills to manufacturer & is non-machinable (making
counterfeiting by novices difficult)
The idea with the Tempered Glass Seal is to create two glass tubes that can be
irreversibly snapped together using an internal locking ring.[28] See figure 17. Note that
once the two halves of the seal are snapped together, an adversary only has access to glass,
not to the internal locking ring. It is thus extremely difficult to pick the seal open.
The glass tubes are manufactured so as to contain the appropriate level of internal
stresses. This can be carefully adjusted by controlling the amount of tempering.
Tempering means to cool the glass relatively quickly, in a controlled manner, from above
the annealing temperature so as to generate internal compression and tension areas due to
differential cooling. Automobile windshields or glass bathroom shower doors, for example,
88
are tempered to create great strength, and to allow them to fail in a safe manner, i.e.,
without sharp shards.
Figure 17 - Schematic of the Tempered Glass Seal. The two halves of the seal (bottom) are shown snapped
irreversibly together (top) using the internal locking ring, 18. Elements 16 and 20 are airtight O-rings that
keep pressure in and moisture and dirt out. From U.S. Patent 6,553,930.
The tempered stresses in the glass tubes are not so high as to cause the glass to explode—
simply to break into multiple pieces if cut, sawed, or drilled. The tempering is adjusted to
make sure that the seal can withstand the usual forces encountered in routine handling and
transport.
A serial number can be placed inside the seal with a printed band or tube, etched on the
outside or inside of the glass (before tempering) using mechanical or chemical etching, or
printed on the outside of the glass using ink.
If tempered correctly, the glass seal will disintegrate if the surface is scored, sawed, cut,
drilled or ground, yet the seal can be handled very roughly without damage if the surface is
not gouged. Proper tempering will prevent the seal from fracturing into sharp shards when
the surface is damaged. If shards are nevertheless a concern, or if the seal will be subject to
severe banging and abrasion in regular use, a clear plastic coating or sleeve can be placed
around the glass to protect it.
The seal is removed by simply scoring it with a file, or giving it a sharp blow with a hard
tool that damages the surface.
Device #14 - Glass and Powder Seal
89
Type: complexity (anti-evidence) seal

Current status: mockups constructed; another possible embodiment of U.S.
patent 6,553,930 [28]
The Glass and Powder Seal is a variation on the Tempered Glass Seal. Lightly packed
inside each seal half are various bands of fine colored powder. See figure 18. Each band is
a different color and perhaps thickness. The bands may be made from different materials,
with a different texture and average particle size. (Exotic chile powders and other spices
work well and are inexpensive.) Each seal half has a different set of bands, so that no Glass
and Powder Seal is identical to any other. One of the bands inside each seal can be a
desiccant powder to keep the other bands dry.
The powder bands can be packed by mechanically stuffing them into the glass tubes with
a rod (something like loading an old style musket). Alternately, the powders can be more
quickly loaded into the tubes by placing the tubes on a slow-spinning centrifuge, and
introducing each powder into the tube through a small Teflon tube down the center of the
centrifuge. (High speed centrifuging is not desired since we do not want the powders to
become too densely packed.) After all the powder bands are in place, the end of each seal
half is plugged with steel or glass wool, cotton fibers, a thin plastic stopper, or an epoxy
plug to keep the bands from moving.
Each tube might contain one or more small air pockets, particularly at the closed end of
the tubes. These air pockets can be protected from the powders by a glass frit with
microscopic holes. The air pockets are under modest pressure. This can be easily achieved
by cooling the glass tubes prior to sealing. The pressurized air pockets are intended to
launch the powders if the glass tube fractures. (There may, however, be enough air in the
spaces between powder particles to accomplish the same thing without any macroscopic
air pockets.)
Figure 18 - Mock-ups of the Glass and Powder Seal, with powder bands of varying color, composition, and
particles shown.
90
If an adversary tries to cut, saw, drill, or grind the seal, the tempered stresses causes the
glass seal to break into many pieces. Also, the internal (unknown) positive pressure inside
the seal, launches the powder. Both mechanisms disperse and mix the powders and
destroy the bands. Trying to gather up the powders so as to recreate the band pattern is
not impossible, but it would be a time-consuming, non-trivial task for an adversary.
Accurately counterfeiting the correct color or reflectance for each powder would also be
non-trivial, as would chemically counterfeiting the powders.
To check the seal for signs of tampering, the seal inspector holds up a smaller glass tube,
containing the same bands of colored powder. This tube was loaded at the same time as
the seal with the same powders in the same sequence. (Alternately, a color image of the
bands printed on a slip of paper can be used for comparison.) He/she then does a side-by-
side comparison with the seal—rather like comparing tree rings. Another way to read the
powder bands is to scan them with a commercial hand-held colorimeter or reflectance
meter.
If desired a small compressed metal or glass spring can be placed in the glass tubes prior
to loading the powder. When the seal is cut, sawed, or drilled, the tempering causes the
glass to fracture. The force stored in the spring is then released and further helps to
disperse and mix the powdered bands.
For a higher level of security, the powders and/or glass can be analyzed for trace
impurities to verify their authenticity.
Device #15 - Glass Rivet
Type: novel conventional seal or complexity seal

Current status: concept only; another possible embodiment of U.S. patent
6,553,930
Rivets conventionally used on the handle of truck and transportainer doors are a problem
for effective cargo security. See figure 19. Especially where ocean salt air is involved, the
rivets are often severely corroded and nearly ready to fall off. When dirty and corroded,
they are difficult to inspect. Commercial cargo thieves know this and often drill out the
rivets or cut them off with a zip gun. They can then open the truck or transportainer door
by rotating the vertical locking rod without disturbing the lock or seal on the handle.
Counterfeit rivets are easy to put back, if the thieves wish to hide their attack.
91
Figure 19 - Transportainer showing a lock on the handle. The arrow points

to the handle’s rivet that is a source of vulnerabilities for cargo theft.
It would make more sense to directly lock or seal the vertical locking rod in figure 19
than to lock or seal the handle. There is, however, often considerable resistance on the part
of cargo handlers to changing the long tradition of checking the lock or seal at the handle.
One way to fix this problem is to replace the steel rivet on the handle with a solid glass
“rivet”. This rivet consists of two tempered, solid glass pieces with an internal containment
(locking) ring to snap them irreversibly together, similar to how the two halves of the
Tempered Glass Seal snap together irreversibly. See figure 20.
Being made of glass, the rivet will not corrode. Its transparency permits a full inspection
of the glass rivet’s integrity inside and out. The glass strength is sufficient to withstand
ordinary cargo handling, yet if the glass rivet is drilled, cut, sawed, or ground, the tempered
stresses will cause the rivet to severely fracture. Unique “fingerprint” identifiers can be
added to the glass rivet such as internal or external serial numbers on the back of the rivet,
or dyes or internal reflective particles blended into the glass. A trace analysis of the glass
itself is also an excellent, hard to counterfeit fingerprint.
If the interiors of the rivet halves are partially hollow, a series of powder bands, or else a
2-dimensional array of powders, like a 2D sand painting, can be used to make each rivet
unique. See figure 21.
92
Figure 20 - Glass Rivet with internal locking ring, shown

unassembled (left) and assembled (right).
Figure 21 - Mockup of a tempered glass cap (one-half of a glass rivet) with a two-dimensional complex
powder pattern. (What is shown here is slightly larger than would be used for a glass rivet.) The powder
includes glitter particles. The tempering means that any attempt to cut, drill, saw, or otherwise damage the
glass rivet will cause the powder to become scrambled. The other half of the rivet (not shown) snaps
irreversibly to this glass cap via an internal metal locking ring.
93
Device #16 - Haspless Plug Seal
Type: novel conventional seal or lock

Status: working prototypes of several different designs have been constructed
Applications: low level security, or to delay an adversary
Many conventional seals (as well as locks) require a hasp. Without a hasp, there may be
nothing to attach the seal (or lock) to. A lot of containers, however, are not specifically
designed with a hasp. They can sometimes be retrofitted with a hasp using welding or an
epoxy, or by drilling a hole through the container lid, but such add-on hasps are often
highly vulnerable to attack. Moreover, certain containers cannot be modified in this way
because it would change their geometry, affect their safety, and/or void their certification.
Containers that do not intrinsically come with a hasp often have a lid, cover, or cap that is
attached to the main body of the container with bolts or screws. To gain access to the
container contents, these screws or bolts must first be unscrewed so that the lid, cover, or
cap can be removed.
Our Plug “Seal” allows a seal (or lock) to block access to a screw or bolt holding on the
container lid, cover, or cap. The plug device is inserted into the body hole used for the
screw or bolt. No modification to the screw/bolt, body hole, or container lid is necessary.
Depending on the container design, more than one Plug Seal may be needed if multiple
screws or bolts require protection.
Figures 22 and 23 show one possible design. The concept is basically as follows: the plug
shown on the right in figure 22 is inserted into the body hole for the bolt. The nut on the
device is tightened using the “wrench” shown to the left in figure 23. This forces the
washer to squeeze on the rubber plug, causing it to expand radially and become wedged
into the body hole. The nut can be tightened to the point that several hundred pounds of
force (or more) are required to pull the plug out of the hole.
Spikes can be attached to the circumference of the rubber so that the forced expansion of
the rubber plug drives the spikes into the body hole wall, further resisting the removal of
the plug. This may, however, damage the body hole.
The plug can be attached to a stainless steel tube, as shown in figure 23, prior to
compressing the rubber. After compressing the rubber, a conventional padlock or seal is
inserted through the hole (hasp) in the hardened steel tube. This padlock or seal blocks
access to the plug nut so that it cannot be easily removed from the hole without removing
the padlock or seal first. The wrench is then used to loosen the nut on the plug. This
relieves the pressure on the rubber and the plug can then be pulled out of the hole with
minimal force.
94
Figure 22 - One implementation of the Plug Seal. The “wrench” at the left is used to rotate the nut at the left
end of the plug after the plug has been inserted into a bolt hole. This compresses the rubber, causing it to
expand inside the bolt hole. There are other possible mechanisms for compressing the rubber as well.
Figure 23 - The plug is shown mounted to a hardened steel tube, which is placed inside a simulated bolt body
hole. After the plug’s rubber is expanded, a standard commercial bolt seal, passing through a hasp in the steel
tube, blocks easy access to the plug. This makes making removal of the plug (so that the bolt can be accessed)
more challenging if an adversary wishes to leave no evidence of accessing the container contents.
Figure 24 shows another approach that makes use of the Tempered Glass Cap that was
shown in figure 21. The assembly is then totally flush with the container wall, leaving
nothing for an adversary to tug on.
95
Figure 24 - Another way to protect the plug in the bolt hole is with the Tempered Glass Cap from figure 21.
It snaps irreversibly to the plug using an internal locking ring. Being flush, there is little for an adversary to
grab onto in order to attempt to remove the plug, which is being held tightly in place because of the expansion
of the plug’s rubber. To gain access to the bolt, the glass cap can be struck with a center punch. The
tempering makes the blow cause the cap to disintegrate, destroying the unique two-dimensional powder
“sand painting” seen in the photo.
Device #17 - E-Cup Insert
Type: enhancement of conventional seals, particular the metal (E-cup) seal

Status: U.S. patent 6,588,812 [29]; a working prototype has been constructed
The E-cup seal, also known as the “metal cup seal, type e” or the “cup wire seal” has been
widely used for U.S. domestic nuclear safeguards for several decades. See figure 25. The
International Atomic Energy agency (IAEA) has its own, more complex version of the seal.
Figure 25 - Some commercial wire loop seals, including the E-cup on the left.
96
Figure 26 - The insert, with its sharp barbs, is shown between the two
halves (Elements 40 & 42) of the E-cup. From U.S. Patent 6,588,812.
The E-cup seal consists of a string, single wire, or strand of wires, together with two small
metal cups that are meant to snap together in a (supposedly) irreversibly manner. Prior to
snapping the two metal halves together, the wire or cord passes through the hasp on the
container to be sealed. The two ends of the wire or cord are then passed through separate
holes in one of the cups. The ends of the wire or cord are then crimped or tied together,
and the two cup halves are snapped together.
Some of the potential attacks on the E-cup may involve flexing, skewing, or compressing
the metal halves. To counter this, an insert of the kind shown in figure 26 with sharp, hard
barbs can be placed inside the two cups prior to snapping them together. This insert will
cause obvious damage to one or both of the cups should such manipulation of the E-cup be
attempted.[29,30] The insert does not interfere with the normal sealing process, nor does
it require any changes in the manufacture of the E-cup seal.
An additional advantage of the insert is that it can, if desired, be used to more securely
and repeatably capture the ends of the seal’s wire or string.[29]
The same insert concept would work for other kinds of seals that have an internal inner
cavity between two halves that snap together.
97
Device #18 - Multi-Strand Wire Loop Seal
Type: enhancement of conventional wire loop seals

Status: concept
One possible category of attacks on conventional “wire loop” seals (such as the E-cup in
figure 25) involves splicing the wire that passes through the hasp. An adversary can do this
quite a number of different ways, including using soldering, brazing, welding, epoxies, or
other wire repair methods. A competent splice attack can be difficult and time-consuming
to spot with manual inspection.
For robustness, many wire loop seals use strands consisting of 2-4 wires, sometimes
twisted around each other. The idea with the Multi-Strand Wire Loop Seal is that the
individual “wires” should be made of highly dissimilar materials, instead of the same
materials as is currently done. This can potentially complicate and delay a splicing attack.
For example, if the individual wires have melting or flammability temperatures that are
very different, thermal splicing methods like soldering, brazing, or welding that would
work on one of the wires might destroy an adjacent wire made of a different material with
a much lower melting or flammability temperature. If nothing else, materials with highly
disparate properties require an adversary to become proficient at executing a wide variety
of different splicing skills.
Materials that can be made into bendable “wires” with very dissimilar properties that
would require very diverse (and sometimes difficult) splicing techniques include plastics
and other polymers, glasses, ceramics including aluminum oxide, clays, aluminum alloys,
pewter, stainless steels, titanium, self-lubricating micro-pore brass, plant stalks or fibers,
textile fibers, and liquid- or gel-filled tubes. Tungsten is a potentially interesting material
for tamper-detection because tungsten wires fray longitudinally when cut transversely.
Device #19 - Tie-Dye Seal
Type: novel conventional seal or complexity seal

Status: partially demonstrated
Applications: medium to high level security; can monitor volumes or areas, not
just portals as with conventional seals
Color can be a difficult property to accurately counterfeit, thus making it of interest for
tamper detection. Small, inexpensive solid-state color sensors with remarkable color
resolution are now commercially available. These perform precise color measurements
that were previously available only with expensive handheld colorimeters. For example,
the TAOS TCS230 color sensor (~$2.50 each) outputs RGB color values from an electronics
package approximately 5 x 6 x 1.7 mm in size.[31]
98
For a Tie-Dye seal (prototype shown in figure 27), the color sensor is placed inside the
hollow body of the seal and rigidly mounted. A white LED is used to provide illumination
inside the seal, though this does not need to run continuously, but can instead be turned on
a random, unpredictable times so that a color spectrum can be measured intermittently.
Figure 27 - Working Tie Dye Seal prototype.
The inside of the seal is painted with a complex varying color pattern, not unlike the “Tie-
Dye” T-shirts popular in the 1960’s. Because this interior color pattern is so complex, it is
difficult for an adversary to counterfeit it in order to try to defeat the seal. Moreover, any
movement or change in location of the sensor with respect to the colored background is
instantly detected as a substantial change in the color spectrum. (This might not be the
case if the background was uniformly painted.) Any object such as a pick tool, even if quite
small, that passes between the color sensor and the colored background will also instantly
cause a change in the color spectrum. There is no one color that the tool could be painted
that would allow it to blend into the background as it moves. Moreover, any ambient light
that is allowed inside the seal when the seal is cut open will also be detected by the color
sensor.
To make things even more difficult for an adversary, we can use 3 different LEDs, one
red, one green, and one blue to provide the illumination inside the seal. They will be turned
on in unison at random, unpredictable times to allow a color measurement. Each time they
are turned on, however, each LED will have its own random intensity. Thus, the color
spectrum seen by the color sensor at any given time cannot be easily predicted by the
adversary in advance.
The microprocessor in the seal, on the other hand, can calculate the expected color
spectrum for any combination of LED intensities. This is because it has run through color
99
calibration curves (when the seal was first installed) by illuminating each LED one at a
time. This is a luxury not available to the adversary.
To spoof the color sensor, an adversary needs to measure the intensity of the 3 different
LEDs, then figure out what color spectrum to counterfeit. This must be repeated each time
the LEDs light up.
Note that this approach doesn’t need to be limited to the interior of a seal. The concept
can be scaled up to large containers, or even entire vaults or cargo-holds.
Device #20 - Adhesive Label Seal with Blink Comparator
Type: improved conventional seal & complexity seal

Status: demonstrated
Pressure sensitive adhesive labels seals are popular for many security applications,
including nuclear safeguards. These seals are inexpensive, and considered to be easy for
relatively untrained personnel to apply. In our view, however, adhesive label seals do not
provide reliable tamper detection.[32] We have demonstrated on many different
products—including those used for nuclear safeguards—that they are typically easy to
counterfeit, and even easier to lift and replace without leaving any noteworthy evidence.
Highly frangible label seals are sometimes used based on the hope that they can more
reliably detect tampering. Such seals, however, are usually difficult for the seal user to
apply without causing more initial damage than an adversary needs to inflict in executing
an attack. Highly frangible seals, moreover, are not sufficiently robust for most transport
applications.
Adhesive label seals become far more useful if “before” and “after” images of the seal can
be compared visually using a blink comparator. Blink comparison is a 120-year old
technique for quickly spotting any differences between two similar images.[33,34] The
technique was used to discover the planet Pluto and is still used to efficiently discover new
asteroids and other astronomical objects, and for medical imaging.[34,35]
For a blink comparison, registered images are alternately displayed, typically alternating
at a rate of 4-40 times per second. Any difference appears quite dramatically as movement.
This is the visual phenomenon that makes television and movies work: Still images are
shown in rapid sequence. Any difference is interpreted by the human brain as movement.
In a mechanical blink comparator, separate photographs are viewed through a half-

silvered mirror. The photos are alternately illuminated, typically so rapidly that they
appear to be one image. Nowadays, a blink comparator is most easily implemented on a
computer screen using digital images. We have written and demonstrated our own blink
comparator program for use with seals, including adhesive label seals.
100
A blink comparator can be a remarkably powerful tool for allowing an observer to

instantly spot even minor differences between two images. This is done at a subconscious
level, so that it is nearly effortless for the observer to interpret blinker images. For many
applications, a human observer properly using a blink comparator can outperform even
very sophisticated computer image comparison algorithms, both in terms of speed and
accuracy. It might seem likely that seal examinations would be highly subjective using a
blink comparator. In practice, however, there is usually little or no disagreement between
experienced users of blink comparators as to whether tampering is indicated.
For adhesive label seals, a blink comparator would be used as follows. First, the seal user
applies the adhesive label seal, then records its digital image. If the seal (or container it is
on) is likely to receive rough handling, or be exposed to a harsh environment or
considerable dirt or dust, it is a good idea to protect the seal with a cover or removable
plastic sheet. When it is time to inspect the adhesive label seal, a second image of the seal is
recorded. At some point, the “before” and “after” images are compared using a blink
comparator. This can be done quickly and easily in the field using a notebook computer if
the “before” image can be securely transmitted to the seal inspector, perhaps using
encryption. (If an adversary can tamper with either the before or after image, he can easily
spoof the tamper detection.)
High resolution images are not needed for reliable blink comparisons of adhesive label
seals. Images with 300 x 400 pixels are usually quite satisfactory, if in good focus. In our
experience, the most effective blink comparisons occur on black and white images; color
just distracts the observer. If color information about the seal is thought to be of interest,
the red, green, and blue (monochrome) planes should each undergo a blink comparison
separately.
We are convinced that the absolute key to blink comparisons is using a good kinematic
mount. This is a simple, inexpensive mechanical mount that can be used to reproduce the
camera position and orientation with remarkable accuracy.[36] If designed correctly, the
kinematic mount is even self-temperature compensating.
It is common to try to use a blink comparator for other (non-seal) applications without
using a good kinematic mount or even no kinematic mount at all. This is a big mistake, and
we suspect accounts for why some people find blink comparators only marginally useful.
Attempting to register (that is, “align”) the images after the fact in a manner that corrects
for different camera optics, locations, angles, or even skew, is invariably unsatisfactory,
even though the registration may look visually acceptable.
Another advantage of a good kinematic mount is that lighting conditions are relatively
unimportant. We have demonstrated for adhesive label seals that a blink comparator can
allow us to detect very subtle evidence of tampering even if the before and after images
were recorded with very different mean illumination levels, and severely different spatial
gradients in the lighting.
101
It is possible to use different cameras, and even different kinematic mounts at the
shipping and receiving ends. The cameras, however, should be the same model and use
identical optics. The kinematic mounts need to be well designed.
Device #21 - Beads-In-A-Box Seal
Type: complexity seal

Status: demonstrated, including for moving cargo
Applications: medium to high level security; can monitor volumes, not just
Figure 28 shows a polycarbonate box (25 x 25 x 25 cm) containing transparent,

compressible toy balls of various colors. These balls are multi-faceted and close-pack fairly
efficiently when pressure is applied from above by the layer of foam located at the top of
the box, just inside the hinged lid. (For real cargo, the polycarbonate box can be replaced
with an ordinary crate or box having at least one window so that the contents can be
photographed.)
Also visible in figure 28, near the center of the polycarbonate box, is a wooden jewelry
box. This contains the “assets” that we wish to check for tampering. In order to get to the
assets, an adversary must move the multi-faceted balls. To cover his tracks, he must then
put them all back with considerable accuracy, in terms of both 3-dimensional position and
angular orientation. Indeed, even just opening the lid causes enough change in the tension
that a number of the balls move irreversibly.
An adversary cannot glue the balls individually back into position, because when it is
time to inspect the container, the seal inspector will check that the balls are all independent
when he opens the container.
The most effective way to detect movement of the balls is with a digital camera and a
blink comparator. It is very easy to tell the difference between a box that has not been
opened, one that has had the lid briefly opened, and one where an adversary removed, then
later replaced the assets at the center of the box. This is true even for a box that has been
handled very roughly during transport.
102
Figure 28 - An example of a beads-in-a-box seal. The “beads” in this case are multi-faceted silicone balls.
Any access to the box disturbs the balls, which can be easily detectected with a blink comparator.
Figure 29 - Another approach for roughly-handled cargo shipments where multi-faceted plastic jewelry
beads are hung in a plastic bag that is allowed to freely swing. The beads are relatively stationary with
movement of the container or vehicle the bag is in, but readily move when the bag is disturbed or opened.
103
If the box will be subject to dropping or severe shaking, a few of the balls move slightly
from such rough handling, but it is easy to tell the difference between this and tampering.
Nevertheless, if desired, the amount of movement likely to occur during shipment can be
tested prior to shipment by deliberately shaking or dropping the box, then comparing the
“before” and “after” images with a blink comparator. This will indicate which of the few
balls should be discounted if they move slightly after the real shipment reaches its
destination. (None of this is relevant, of course, if the assets remain stationary during the
period of time we are concerned about tampering.)
For especially rough shipments, a better technique is depicted in figure 29. In this case,
multi-faceted jewelry beads are used. These, along with the asset(s) of interest, are
vacuum packed inside a clear, thin-walled plastic bag. The tension on the plastic bag,
caused by the pressure differential between the inside and outside of the bag, keeps the
beads virtually frozen in place. If the bag is suspended from a pendulum mount, the beads
are virtually immune from inadvertent movement short of handling so rough that it
damages the cargo.
Either the box or bag technique can be scaled up or down over a considerable size range.
The balls or beads are totally reusable, making this a very inexpensive seal. With a good
kinematic mount, only a few seconds are required to record a digital camera image and
compare it with the “before” image using a blink comparator on a notebook computer. Of
course, both the before and after image must be securely transported or transmitted to the
same location (not necessarily the cargo destination) so that they can be compared to
determine if tampering took place.
Neither the balls nor the beads in figures 28 or 29 interfere with gamma ray
measurements, or rf communications. Also, the balls or beads can pack around electronic
cables leading to or from the interior, or camera lenses. Thus, the Beads-in-a-Box seal
might make be useful as inexpensive, reusable, “transparent” tamper detection for
safeguards monitoring equipment.
Device #22 - Theodolite Seal
Type: complexity seal

Status: concept
The Theodolite “Seal” is a remote, non-contact, optical method for determining if a

container in a vault, warehouse, or cargo hold has been disturbed. (If the containers are in
a moving transport vehicle, they must be tied down well.)
The idea behind the Theodolite Seal is that it can be difficult and time-consuming for an
adversary to exactly reposition one or more containers (or their lids) after tampering. This
is especially the case if the lid or underside of the container is designed with a mechanical
hysteresis mechanism that does not allow it to return to its original position or orientation
104
when the load is lifted. There are many possible mechanical designs for such hysteresis
container or lid supports.
Changes in a container’s position or orientation (or that of its lid) as small as a few
µmeters and a few arc-seconds, respectively, can be measured with a nearby digital
camera, using a good kinematic mount and a blink comparator technique.
Even from a considerable distance, the position of a container or lid can be quickly
measured with good accuracy. At a distance, a camera with a telescopic lens, plus a blink
comparator can be used. Another approach is to use a commercial 3 arc-second theodolite
used for surveying (cost< $5K). This can detect a translation as small as 700 µm
(perpendicular to the line of sight) from a distance of 50 meters. At the same distance, a
rotation of 5 arc-minutes can be detected for a container or lid of diameter 1 meter. (This
is near the diffraction limited resolution of the theodolite.)
Checking for tampering by using a theodolite or camera with a blink comparator can be
done in a non-contact manner that does not interfere with other tamper or intrusion
detection devices. A clear line of sight, however, must be available to the container or lid
being checked.
The camera or theodolite can be taken away between measurements, especially if a good
kinematic mount is used for accurate repositioning. Different theodolites or digital
cameras can be used at the shipping and receiving ends to make the “before” and “after”
measurements, thought identical models should be used.
The exact position of containers can also be mapped out with a variety of commercial 3D
profiling instruments, including laser 3D scanners, holographic and interferometric
devices, structured light profilers, and coordinate measurement machines.[37] Typical
resolutions are 3 mm at a distance of 100 meters, to a few µm at 1 meter.
Device #23 - Epoxy Mixer Seal

Status: concept
The Epoxy Mixer seal contains two colored liquids that get mixed when the seal is
opened. An adversary would find it difficult to separate the liquids once they mixed in
order to try to hide the fact that the seal had been opened. (This is especially true if the
liquids are designed to react chemically, or change color when in contact.) This might leave
counterfeiting as the adversary’s simplest attack.
The most efficient way to mix the liquids for a passive seal is to use an epoxy mixing
baffle of the sort shown in figure 30.
105
Figure 30 - An epoxy mixing tube. This is a baffle used to

mix two-component epoxies as they flow down the tube.
Device #24 - Aeolipile (Spinning Gas Jet) Seal

Status: concept
Applications: high level security; can monitor volumes, not just
In 50 AD, Hero of Alexandria invented the world’s first steam engine, called an
aeolipile.[38] Water was heated such that the resultant steam could pass through pipes
into a hollow sphere. See figure 31. The sphere had two jets through which the steam
could escape, generating thrust that caused the sphere to rapidly rotate about its axis. It’s
not clear if Hero’s device was ever actually built. In any event, the aeolipile was never
considered anything but a toy until more than a thousand years later.
Now in order to keep a valuable asset (or cargo) safe from intrusion or tampering, it is
generally placed inside some container. We and others have shown how easy it is to
quickly penetrate container walls without leaving obvious evidence. These surreptitious
entries, however, are substantially more difficult if the walls are constantly moving.
Constantly moving the heavy walls of a conventional container, isn’t practical, but
constantly spinning a lightweight aeolipile requires little energy. The hollow, spinning
aeolipile sweeps out a volume in space that cannot easily be penetrated by an adversary
without interfering with the rotation of the aeolipile shell.
106
Figure 31 - Hero’s Aeolipile. of Alexandria invented the world’s first steam engine, called an aeolipile.[38]
Water was heated such that the resultant steam could pass through pipes into a hollow sphere. The sphere
had two jets through which the steam could escape, generating thrust that caused the sphere to rapidly rotate
about its axis. It’s not clear if Hero’s device was ever actually built. In any event, the aeolipile was never
considered anything but a toy until more than a thousand years later.
The assets to be monitored for tampering go inside the aeolipile, on a stationary platform
supported by an internal frame mounted to the hollow rotation axis of the aeolipile. The
spinning aeolipile shell—the equivalent of the sphere in figure 22—can be made out of thin
plastic or aluminum, balsa wood, or even paper. It can be a sphere, cylinder, or other
cylindrically symmetric shape, and scaled up or down to the appropriate size.
The aeolipile’s rotation is powered—not by steam—but by a small electric motor and

battery, or by a tank of compressed gas or a small external air pump. (If blades are
attached, the aeolipile can even be driven in a non-contact manner by a nearby fan or air
jet.) The lightweight spinning aeolipile represents no safety hazard because it can be
stopped simply by reaching out and touching it, without harming one’s hand. The reduced
rotation rate, however, will be detected and interpreted as tampering.
To monitor the rotation rate, a small battery-powered microprocessor is placed inside

the spinning aeolipile on the stationary support platform, along with the assets of interest.
It can detect a change in rotation rate various ways, including with a photodiode, a shaft
107
encoder, or with a Hall Effect magnetic sensor measuring the rotation of a weak magnet
placed on the spinning axle or aeolipile’s shell. Any attempt by an adversary to gain access
to the assets (including attacking along the rotation axis of the aeolipile) necessarily
requires altering the rotation speed. This is immediately interpreted by the
microprocessor as intrusion or tampering. The microprocessor then erases the anti-
evidence stored in its memory.
The good guys can check on the status of the anti-evidence at any time, including while
the aeolipile is still rotating, by sending the password to the microprocessor using rf
signals. The microprocessor can respond by talking (as with the Seal #4 - the Talking
Truck Cargo Seal), or it can instead transmit the secret anti-evidence by a return rf signal.
Tags
Device #25 - Time Trap as A Product Anti-Counterfeiting Tag
Type: a product anti-counterfeiting tag

Status: working prototype
Applications: countermeasure to product counterfeiting; requires some technical
sophistication to defeat
The Time Trap (Device #2) is a trap or seal. It can, however, also be used as a product
anti-counterfeiting tag. The 2-letter hash that authenticates the time can be thought of as a
time-varying product “serial number”. The customer would only be allowed to view the
authentication hash a few times. The hash could be looked up on the Internet or called in
over the telephone. Alternatelly, the hash could be checked using a computer program or
handheld device that would only show authentication hashes for the current time.
In order to counterfeit the product, the bad guys would need to know future
authentication hashes for at least one legitimate product. This would require reverse-
engineering the device and beating the intrusion detectors.
Device #26 - Virtual Random Numeric Tokens
Type: a product anti-counterfeiting (virtual buddy) tag

Status: concept
Applications: countermeasure to product counterfeiting; difficult to defeat in volume
The idea of virtual random numeric tokens is deceptively simple.[56] The manufacturer
of a mass-produced product, lets say pharamaceuticals as an example, puts an extra “Bottle
ID” on each bottle. This is a unique, random, unpredictable number chosen for each bottle
in a given lot. (The manufacturer starts over again with each new lot.) The number of
Bottle IDs must be at least 1000 times greater than the number of bottles in the lot.
108
Customers anonymously “call-in” to the manufacturer (or his representative) via the
Internet or telephone to see if they have a valid Bottle ID for the given lot number.
Product counterfeiters have the problem that if they guess Bottle ID numbers, most of the
ones they guess will be invalid and the customers will be immediately alerted that they
have a fake.
Product counterfeiters can presumably get hundreds of valid Bottle ID numbers, but this
does not help them to do mass counterfeiting because the fact that duplicate valid bottle
numbers keep getting called in will make it possible to tell the calling-in customers that
they probably have a fake with high probability. Typically, more than 98% of the
counterfeit products called in will be detected. Malisciously calling in fake Bottle IDs has
very little impact.
Volume customers of the product can also check their past and current stock for
duplicate Bottle IDs without calling in. This works well to detect fakes because counterfeit
products tend to cluster in the supply chain.
There are several important points about virtual random numeric tokens that are often
overlooked. This is NOT the same thing as serialization! It is not track & trace nor a
provenance method, though it can be use in conjunction with such techniques. The virtual
random numeric token is a buddy tag that does not need to be physically attached to the
bottle, co-located with it, or generated at the factory. Also, manufacturers that try to
implement something like virtual random numeric tokens typically make a number (or
most!) of approximately 3 dozen mistakes in doing so. Please contact the authors for more
information.
We use virtual random numeric tokens for our wine authenticity device shown in figure
33.[1,39]
109
Figure 32 - A virtual random numeric token requires a product ID (or bottle ID for bottles) that is not the
same thing as serialization.
Figure 33 - Wine authenticity prototype. The inexpensive, reusable silver cap on top of the wine bottle can
determine if the wine bottle has ever been opened (using an anti-evidence seal), and if it is an authentic bottle
(using a virtual numeric token). The cap is connected to the Internet using a cable to “call-in” the virtual
numeric token.
Real-Time Monitoring
Device #27 - Town Crier Monitoring
Type: an anti-evidence type of real-time monitoring

Status: working prototypes of different designs
Applications: high level security for vaults, warehouses, and moving cargo. Also, a
possible technique for complicating attacks on intrusion sensors.
The anti-evidence approach can also be used for real-time monitoring.[17,40,41] A “real-
time monitor” is a device or system that watches over an object or container, and then
produces an immediate alarm if the object or container is removed, tampered with, or
experiences unauthorized intrusion. The alarm is typically intended to scramble a guard or
police force.
The alarm signals issued by most conventional real-time monitoring systems are often
easy to block or jam. More sophisticated systems may rely on high-bandwidth two-way
110
communication, radio frequency signals, sensor status and state of health checks, data
authentication or encryption, and/or complex hardware and software. The resulting
complexity often opens up new attack vectors for an adversary, increases costs, and can
impede transparency and negotiability for nuclear treaty monitoring.[17,40,41]
With the “Town Crier” (anti-evidence) approach to real-time monitoring (see figure 34),
when unauthorized access, tampering, or theft is detected, we don’t send an alarm that can
be easily blocked or jammed. Instead, as long as everything is fine, we have the real-time
monitoring system occasionally transmit a simple “All OK” byte called the “bingo number”.
The correct bingo number at any given time is known only to the monitoring system and to
the good guys listening in. Should the correct bingo number fail to arrive when expected,
trouble is indicated. Unlike blocking an alarm signal, the bad guys gain nothing by blocking
the “All OK” signals. They can try to counterfeit the bingo number, but have only a 1/256
(0.4%) chance of guessing one bingo byte correctly, 1/65536 (0.002%) chance of guessing
two correctly, etc.
Figure 34 - The real-time Town Crier prototype monitor on the left is meant be inside or attached to the
assets to be monitored. It wirelessly sends a pseudo-random “bingo number” every 4 seconds to the listening
unit on the right which is located at a guard station or with a guard. (In actually usage, it would be more like
one bingo number transmitted per minute). For demonstration purposes only, the transmitted bingo number
(A7 at this instant) is displayed on both the real-time monitor (left) and the listening unit (right). (The bingo
number is also spoken by both units, again only for demonstration purposes.) The bad guys don’t know
which bingo number is due up next, and if they break into the real-time monitor, their trespassing is detected
and information about future bingo numbers is erased in less than 1 µsec. If the real-time monitor is
disturbed (one of many possible indications of “tampering”), the unit erases information about future bingo
numbers and stops sending them. When no bingo numbers or the wrong ones are received by the listening
unit, tampering or theft is suspected, and the listening unit sounds a conventional alarm (though it, too, could
alternately pass along an anti-evidence “All OK” signal to a higher level.) The retail cost of parts for each unit
is less than $55, and less than $15 if the superfluous voice module and LCD display are eliminated.
111
The advantages of this Town Crier monitoring approach include simplicity, low-cost, the
use of only very low bandwidth (a few bits to ~1 byte per minute), one-way
communication (we listen for the bingo numbers but don’t try to talk to the real-time
monitor), and high security. Blocking an alarm, counterfeiting the real-time monitoring
hardware, or hacking into the monitor through a communications channel are no longer
useful attacks for the adversary.
It is interesting to note that if sensors inside a security device communicate to the CPU
using a Town Crier approach, it would be much harder for an adversary to spoof the
sensors by shorting or jumpering them.
The name “Town Crier” comes from the town criers of medieval European towns. If
Vikings were to attack, they might be able to overpower the sentries before the sentries
could yell out a warning. The town crier, however, would cry out an “All OK” message at
predetermined times. If the town’s people failed to hear the familiar voice of the Town
Crier giving the “All OK” signal at the correct time, they would grab their weapons and
prepare to defend their town.
Device #28 - Chirping “Tag & Seal”
Type: A Town Crier type of real-time monitor that has certain attribues of a tag and a
seal.
Status: working prototypes
Applications: high level security for vaults, warehouses, sealed radiological sources,
nuclear material, and cargo
Radio frequency (rf) communication can be difficult to work with.[16] Indeed, rf is a

battery power hog, prone to interference, tends to attenuate or detune when near metals or
liquids, often doesn’t work well around corners, and can create safety and security
problems (real or perceived) inside nuclear facilities. Spoofing, hacking, counterfeiting,
blocking, jamming, or eavesdropping of rf signals remotely is a continual concern and
relatively easy to do, especially for radio frequency identification devices (RFIDs).[16]
Complicating the use of rf for international applications is the fact that different countries
have disparate regulations and spectrum allocations for rf signals.
To avoid all these problems with rf, we believe alternative communication methods
should be considered, especially for relatively short range monitoring, e.g., across a storage
vault, inside a cargo hold, or within a nuclear work area or facility. Infrared or
acoustical/ultrasonic signals have, we believe, many potential advantages over rf that have
not been fully explored or exploited.
Figure 35 shows a prototype Town Crier real-time monitoring device that we call the
“Chirping Tag and Seal”. (This is something of a misnomer since it is primarily a real-time
112
monitor). Instead of using rf, this device sends the anti-evidence “All OK” signal using
acoustical chirps. The acoustical chirps are generated using a commercial resonant chirp
buzzer, model PKM24SPH3805 made by Murata manufacturing.[42] These “chirpers” are
often found on smoke detectors, where they chirp once per minute for many months to
indicate that the battery is nearly dead. It costs approximately $1.50 in retail quantities
and operates at approximately 3.8 Hz. Most environments (including nuclear facilities and
moving trucks) are relatively quiet at this frequency, with human voices lying mostly in the
range 100 – 1000 Hz.[43]
Figure 36 shows the acoustical signal generated by the chirper, which lasts
approximately 23 msecs. Figure 37 shows the FFT frequency spectrum, with the peak
centered around 3.8 kHz.
Figure 35 - The Chirping Tag and Seal, top view (left) and bottom view (right). This prototype device is
based on the use of an inexpensive PIC 12F629 microprocessor and a $1.78 (retail cost) resonant chirping
buzzer. The device operates for many months on 2 coin batteries.
Figure 36 - The relative sound intensity of 1 chirp as a function of time as recorded by a microphone.
113
Figure 37 - The frequency spectrum of 1 chirp.
The maximum sound output of the chirper is 90 dB at a distance of 10 cm, though it uses
very little battery power. The chirps go around corners quite effectively. Along a straight
line, we have demonstrated the ability to detect the chirps using an inexpensive
microphone at a distance in excess of 250 meters, outdoors in a noisy environment.
The parts for the Chirping Tag and Seal shown in figure 35 cost under $5 in retail
quantities. This includes a light sensor that can determine if the device has been picked up
or moved. Depending on what other tamper/intrusion sensors one wanted to add to the
device (and there are many options), the retail cost of parts might be higher.
The Chirping Tag and Seal is a much simpler version of the Town Crier prototype that
was shown in figure 35 not just because it avoids the use of rf, but also because it doesn’t
even need to transmit an actual bingo number or modulate the (acoustical) chirp it emits.
The “All OK” signal for our Chirping Tag and Seal is the exact time when the chirp is
generated. As long as everything is fine, the device will “chirp” at pseudo-random,
unpredictable times. Only the good guys know when the next chirp is due. For the
demonstration prototype shown in figure 35, the chirps come once every 3 seconds on
average. In a real application, however, a chirp might only be generated once every minute
or two on average. Once tampering/intrusion is detected (or if the device is removed), the
chirping stops, the remote listening microphone fails to hear the next chirp when it is due,
and the information needed to determine when future chirps are due to occur is erased in
less than 1 µsec.
Note that it is only the time to the next chirp that matters, not the absolute time.
Thus, highly accurate clocks are not needed. The time to the next chirp can be
determined using a pseudo-random number generator (PRNG). An adversary would
have to collect chirp data for many weeks before he would have sufficient data to
confidently be able to figure out the PRNG. For the best security, however, the times
114
between chirps should be random numbers generated in advance by hardware, and

stored on the device as a kind of one-time keypad.
The sound chirps are short enough that many different chirping devices can be
operating in the same volume, all chirping away on different schedules. Only 1
microphone is needed to listen to hundreds of different Chirping Tags and Seals
simultaneously. The chirps would overlap very infrequently given their short
duration, but the good guys know when each overlap is coming and can deal with the
situation appropriately. (The average time before any two chirpers overlap, each
chirping randomly once per minute on average, is almost 2 days.) Should overlapping
nevertheless become a problem, the chirp duration (23 ms) could be decreased, the
average time to the next chirp increased, and/or different frequencies used for
different units.
It is not necessarily desirable to conclude that tampering, intrusion, or theft has

occurred after just one missed chirp. Two or three missing chirps in a row might be a
better threshold for any given Chirping Tag and Seal.
Note that the acoustical chirp could be replaced with an ultrasonic chirp (to be less
annoying to people), but the range would be less. Alternatively, an ultra-short flash
from an infrared LED could be used. Rise times can be a short as 100 pico-seconds.
The ability to go around corners, however, would not be as good in either case as is
possible with acoustical chirps.
Because of its simplicity, low cost, and small size, we believe the Chirping Tag and
Seal would be particularly useful for monitoring sealed radiological sources. Instead
of attaching a security device directly to the sealed radiological source (which presents
a number of practical problems), we are instead designing a thin, lightweight plastic
case to hold each source. For many authorized radiological applications, the sealed
radiological source could be used without having to even remove it from the case. Our
Chirping Tag and Seal would do the random audible chirping to assure that the sealed
source was still present, and also check whether the case has been opened or
compromised, and that the Chirping Tag and Seal was still attached to the case. Any
evidence of tampering would cause the chirping to stop. The unauthorized removal of
the case and chirper would cause the chirps to no longer be detected.
While the Chirping Tag and Seal is fundamentally a real-time monitor, it can also be
used as a tag and as a seal. It can serve a tag function by identifying the asset it is
attached to, not with a unique serial number such as done with an optical barcode or
an RFID, but rather by chirping at a specific time. It can act as a seal if the chirps from
one or more such devices are collected by a microphone and analyzed by a
microprocessor that is itself part of an anti-evidence seal. We can envision, for
example, a truck cargo area full of valuable assets in transit, each with a Chirping Tag
and Seal attached. (Reasonable road noise causes little acoustical interference.) When
the truck arrived at its destination, the listening microprocessor would be queried as
to whether tampering, intrusion, or theft had occurred based on its monitoring of the
115
chirps. While there would be real-time monitoring inside the truck, the results would
be available only after an inquiry occurred at the receiving location.
Device #29 - Live & Local Video Authentication
Type: technique for athentication of surveillance video (or other high-bandwidth

sensors)
Status: proof of principle
Applications: high level security for nuclear treaty monitoring, and for vaults,
warehouses, and cargo-holds
Current video surveillance techniques for nuclear treaty monitoring and other high-
level security applications make extensive use of expensive custom monitoring cameras,
tags, seals, tamper-evident enclosures, and encryption/data authentication (often resulting
in poor spatial and temporal resolution), and secret keys & passwords. These are costly,
complicated, time-intensive, not conducive to negotiability and transparency for nuclear
treaty monitoring, and the security they provide is often illusionary. Moreover, the need
for a secure chain of custody for the hardware and software, starting at the factory, is
usually unmet.
Potentially, these things are unnecessary—or at least their use could be greatly
reduced—if real-time streaming video is allowed and can be recorded for future analysis.
This would make it possible to use comercial-off-the-shelf video cameras (with the low cost
and excellent quality control). Various challenge/resoponse tests at nanosecond to second
time scales can help veryify that the video is both live (not pre-recorded) and being
generated locally (to within a few kilometers).
The streaming of the video frames, combined with these challenge/response tests leave
the adversary with inadequate time to counterfeit or tamper with the video images on the
fly. No other tamper detection or encryption/data authentication is needed (at least for the
video camera) if the temporal response of the steaming video system is understood.
We have conducted a preliminary proof of principle for this concept. It could potentially
also work for other kinds of high-bandwidth sensors—not just video cameras.
Device #30 - Rapid Sampling Tool
Type: field tool

Status: 3 U.S. patents, working field units
Applications: counter-terrorism, nonproliferation, emergency responders, drug raids,
waste management
We have designed and built simple field tools that work with standard battery-powered
hand drills. They allow the user to sample liquids or flowable powders without opening
116
the container, or allowing any of its contents to escape. Very types of containers can be
sampled, up to 1.4 cm thick and 8-atmospheres of internal pressure. See reference [57] for
more information.
Figure 38 - One version of the Rapid Sampling Tool.
Access Control
Device #31 - Image Algorithm Password
Type: an alternate kind of graphical “password” for access control for rooms, buildings,
or computer log-ons
Status: demonstration software
Applications: high level security for limited access areas or secure computing systems
There are numerous concepts for passwords based on graphical images or other
cognitive authentication approaches.[44-55] We believe our approach has two strong
strong advantages over other approaches: (1) It is very difficult for an adversary to figure
out the “password”, even if he knows the person well and has watched her enter the
“password” many times, and (2) The algorithm is easy to remember even after a long time
of not being used.
With our approach, each authorized person has to remember only 2 things: An “anchor
algorithm” question about what is on the display monitor, and a vector. Examples of an
anchor algorithm question can include:
1. Which object costs less than $5?
2. Which object can typically be found in the kitchen?
3. Which object contains a lot of wood?
117
4. Which object did not exist in the year 1900?

5. Which thing is alive?
5. Which object has a name (label) with 2 vowels in it?
6. Which icon is “facing” to the left?
Each time a subject wishes to gain physical or computer access, she is shown a grid of
cllipart images (“icons”), such as in figure 38. Her job is to scan the grid and find the one
icon that answers her anchor algorithm question. This is called the “anchor”. If she cannot
find an appropriate anchor, she is allowed to request a new set of icons (without selecting
any from the original grid). Once an anchor is identified, she then selects a different icon
that is displaced from the anchor by her personal vector. She may need to repeat the
process for multiple grids with different icons to gain access if better security is desired.
Figure 38 - 91 different icons. Each icon (or “clip art”) has a name (label) that defines what it is.
It is a complex problem for an adversary to try to work backwards and figure out the
anchor, then figure out the algorithm. There are, for example, 25 possible vectors away
from the anchor, given no more than 3 total steps: ±3 Vertical icons (up or down) + 0
Horizontal; ±2 Vertical + 0 or ±1 Horizonal (left or right); ±1 Vertical + 0, ±1, or ±2
Horizontal; 0 Vertical + 0, ±1, ±2, or ± 3 Horizontal).
Before using the system, the user must enter a ID badge or PIN or password to identify
the person and thus let the system look up her anchor question and vector.
Our demonstration software for this technique randomly fills the grid with icons that
unambiguously do not fit each person’s anchor question. This has previously been
determined by going though all the icons and asking a panel of people whether each icon
118
fits a given anchor question well, poorly, or it is unclear. Only when there is very strong
consensus is an anchor question assigned affirmatively to a given icon.
Once the grid is filled with icons that unambiguously do not fit the relevant anchor
questons (with no duplication of icons allowed), one of the icons is randomly chosen and
replaced with an icon that does unambiguously fit the anchor question. The person looks
through the grid, finds the one icon that fits her anchor question, then using the vector to
select an icon.
Anchor questions can be re-used for different people if they are given different vectors. If
the vector takes the user off the grid, she simply wraps around. A rotatable sphere for
displaying the icons would eliminate the confusion of wrapping around.
Preliminary experiments suggest that most people can learn how this concept works and
learn their anchor question and vector in just a few minutes of explanation followed by
some practice. Most people had little problem in quickly finding the relevant icon for their
anchor question. There is evidence that people could remember their anchor and vector
even after sevearal months of not using the system, especially if we used particularly vivid
training methods.
While this system would probably not be practical for access control for a large number
of employees—because of the effort required to set it up and train the users—this
approach might make some sense for high security applications where there are only a
modest number of authorized individuals.
Device #32 - Physical Isolation from Ethernet and the Internet
Type: cyber physical access control

Status: working unit
Applications: slight improvement in cyber security; security awareness tool
A RJ45 switch box (~$9 retail) can be used to disconnect a computer from its Ethernet
connection for times when you don’t need to be connected (for example) to the Internet,
yet want to instantly re-connect when you do. See figures 39 and 40. In addition to the
switch box, two Ethernet patch (8P8C) cables are needed.
119
With the switch box, there is no need for fumbling with cables or software to
disconnect/reconnect the Ethernet port when it is not needed. Of course this doesn’t
address wifi or Bluetooth connections, nor help all that much if you are being personally
targeted by hackers, but it can potentially cut down on opportunities for cyber attacks or
mistaken release of sensitive data.
Figure 39 - Front view of a commercial RJ45 switch box with labels added by the authors.
Figure 40 - Rear view of the switch box. A cable is used to connect the I/O port to the Ethernet router, while
another cable connects the A port to the computer’s Ethernet port. No cable is connected to B for this
application.
120
Device #33 - Sticky Bomb Detector for Vehicle Security
Type: vehicle access control

Status: proof of principle on 2 different concepts
Applications: counter-terrorism, vehicle and cargo security
We have conducted a proof of principle for 2 different methods of detecting when an

improvised explosive device has been attached to a parked vehicle.[58] One technique is
based on detecting an increase in tire pressure when even a very small amout of weight is
added to (or subtracted from) a vehicle. The other techique is based on detecting the
magnet that is often used to attach such “sticky bombs”.
Both techniques are relatively inexpensive and could possibly also work on moving
vehicles, with a reduce level of sensitivity. Both techniques can work as either tamper
detectors (after the fact detection) or real-time monitors.
There are other potential applications for vehicle and cargo security. See reference [58]
for more information.
Acknowledgements
This work was supported by the U.S. Department of Energy (DOE), Office of Basic
Sciences, and the National Nuclear Security Administration (NNSA) under contract #DE-
AC02-06CH11357. The views expressed in this article are those of the authors and should
not necessarily be ascribed to Argonne National Laboratory, DOE, or NNSA.
We are grateful to Anthony Garcia, Leon Lopez, Ron Martinez, Adam Pacheco, and Sonia
Trujillo for ideas, design concepts, machining, and other assistance. Nate Briston made
major contributions to the design and construction of the Time Lock and helped with other
technical details. Veronica Manfredi conducted much of the testing of the Image Algorithm
Password technique and assisted in other ways. Jim Vetrone did much of the experimental
testing on the sticky bomb detection techniques. We also benefited from the help of
Marissa Faler, Sam Fuchs, Christopher Folk, Gregory Bylsma, and Eric Baca.
121
References
1. Argonne Vulnerability Assessment Team, http://www.ne.anl.gov/capabilities/vat/
2. Phil Rogers, “Most Security Measures Easy to Breach”,

http://www.youtube.com/watch?v=frBBGJqkz9E
3. Boonsri Dickinson, “At Argonne National Lab, Closing the Curtains on ‘Security Theater’”,
November 9, 2010, http://www.smartplanet.com/technology/blog/science-scope/at-
argonne-national-lab-closing-the-curtains-on-security-theater/5167/
4. RG Johnston and JS Warner, “Debunking Vulnerability Assessment Myths”,

SecurityInfoWatch, August 6 & 13, 2013,
Part 1:
http://www.securityinfowatch.com/article/11078830/experts-discuss-commonly-held-
misconceptions-about-vulnerability-assessments
Part 2:
http://www.securityinfowatch.com/article/11108983/experts-discuss-the-
characteristics-of-good-vulnerability-assessors
5. RG Johnston and ARE Garcia, “An Annotated Taxonomy of Tag and Seal Vulnerabilities”,
Journal of Nuclear Materials Management 28(3), 23-30 (2000).
6. RG Johnston, ARE Garcia, and AN Pacheco, “Efficacy of Tamper-Indicating Seals”, Journal

of Homeland Security, April 16, 2002,
http://www.homelandsecurity.org/journal/Articles/displayarticle.asp?article=50
7. JS Warner and RG Johnston, “Why RFID Tags Offer Poor Security”, Proceedings of the
51st INMM Meeting, Baltimore, MD, July 11-15, 2010.
8. RG Johnston, “Lessons for Layering”, Security Management 54(1), 64-69, (2010).
9. RG Johnston, “New Research on Tamper-Indicating Seals”, International Utilities

Revenue Protection Association News, 16(1), 17-18 (2006).
10. RG Johnston, “Tamper-Indicating Seals”, American Scientist 94(6), 515-523 (2005).
11. RG Johnston and JS Warner, “The Doctor Who Conundrum: Why Placing Too Much
Faith in Technology Leads to Failure”, Security Management 49(9), 112-121 (2005).
12. RG Johnston and JS Warner, "What Vulnerability Assessors Know That You Should,
Too", Asia Pacific Security Magazine 50, 40-42 (2013)
13. JS Warner and RG Johnston, “Chirping Tag and Seal”, Proceedings of the 51st INMM
Meeting, Baltimore, MD, July 11-15, 2010.
122
14. RG Johnston, EC Michaud, and JS Warner, “The Security of Urine Drug Testing”, Journal
of Drug Issues, 39(4) 1015-1028 (2009),
http://jod.sagepub.com/content/39/4/1015.full.pdf+html
15. RG Johnston, “Tamper Detection for Safeguards and Treaty Monitoring: Fantasies,
Realities, and Potentials”, The Nonproliferation Review 8(1), 102-115 (2001),
http://www.autoid.org/1_2003%20Documents/Sep/104sc4wg2n0121_Johnston.pdf
16. RG Johnston, “The ‘Anti-Evidence’ Approach to Tamper-Detection”, Packaging,

Transport, Storage & Security of Radioactive Material 16(2), 135-143 (2005).
17. RG Johnston and JS Warner, Unconventional Approaches to Chain of Custody and

Verification”, Proceedings of the 51st INMM Meeting, Baltimore, MD, July 11-15, 2010.
18. RG Johnston and ARE Garcia, Triboluminescent Tamper-Indicating Device. U.S. Patent
6,394,022, April 28, 2002.
19. AJ Walton, “Triboluminescence”, Advances in Physics 26(6), 887-948 (1977).
20. G Bourhill, LO Palsson, IDW Samuel, IC Sage, IDH Oswald, and JP Duignan, “The Solid-
State Photoluminescent Quantum Yield of Triboluminescent Materials”, Chemical Physics
Letters 336(4), 234-241 (2001).
21. I Sage, R Badcock, L Humberstone, N Geddes, M Kemp, and G Borhill, “Triboluminescent

Damage Sensors”, Smart Materials and Structures 8(4), 504-510 (1999).
22. RG Johnston, Magic Slate Seal, Los Alamos National Laboratory Report LAUR-02-6848
(2002).
23. JE Amoore and E Hautala, “Odor as an Aid to Chemical Safety”, Journal of Applied
Toxicology 3(6), 272-290 (1983).
24. RJ Versic, “Microencapsulation and Scented Fragrance Inserts”, Drug & Cosmetic
Industry 144(6), 30ff (1989), http://www.rtdodge.com/fr-insrt.html
25. TH Elmer, Porous and Reconstructed Glasses in Engineered Materials Handbook, Volume
4: Ceramics and Glasses, pp. 427-432 (1992), ASM International, Materials Park, OH,
http://www.corning.com/lightingmaterials/products/vycor.html
26. RG Johnston and ARE Garcia, Magnetic Vector Field Tag and Seal. U.S. Patent 6,784,796
B2, August 31, 2004.
27. RG Johnston, MagTag: Magnetic Vector Field Tag and Seal. Los Alamos National
Laboratory Report LAUR-02-6848 (2002).
123
28. RG Johnston, and ARE Garcia. Tamper-Indicating Device Having a Glass Body. U.S.
Patent 6,553,930 B1, April 29, 2003.
29. ARE Garcia and RG Johnston, Enhanced Tamper Indicator. U.S. Patent 6,588,812 B1,
July 8, 2003.
30. CA Sastre, The Use of Seals as a Safeguards Tool. Brookhaven National Laboratory
Report BNL 13480 (1969).
31. Texas Advanced Optoelectronic Solutions (TAOS),

http://www.taosinc.com/product_detail.asp?cateid=11&proid=12
32. RG Johnston and JS Warner, “How to Choose and Use Seals”, Army Sustainment 44(4),
54-58 (2012), http://www.almc.army.mil/alog/issues/JulAug12/browse.html
33. A Terzan, M Chatagnat, and D DubetLe, “Nouveau Comparateur a Eclipses De

L’Observatoire de Lyon”, J. Optics (Paris) 9(2), 21-126 (1978).
34. ER Craine, “Video Comparator System for Early Detection of Cutaneous Malignant
Melanoma”, Proceedings of the SPIE 1653, 399-409 (1992).
35. Croswell, K. “The Pursuit of Pluto”, American Heritage of Invention and Technology
5(3), 50-57, 1990.
36. Newport Corporation. Kinematic Mounts.

http://www.newport.com/servicesupport/Tutorials/default.aspx?id=84
37. Simple 3D: 3D Scanners, Digitizers, and Software for Making 3D Models and 3D
Measurements. http://www.simple3d.com
38. Thermodynamics. http://www.scitoys.com/scitoys/scitoys/thermo/thermo.html
39. “New Bottle Cap Thwarts Wine Counterfeiters”, WebWire, August 4, 2008,
http://www.webwire.com/ViewPressRel.asp?aId=71479
40. RG Johnston, ARE Garcia, and AN Pacheco, “The ‘Town Crier’ Approach to Monitoring”,
International Journal of Radioactive Material Transport 13(2), 117-126 (2002).
41. RG Johnston, ARE Garcia, and AN Pacheco, “Improved Security Via ‘Town Crier’
Monitoring”, Proceedings of Waste Management ’03, Tucson, AZ, February 24-27, 2003,
www.osti.gov/servlets/purl/827636-nWiBFO/native/
42. Murata, “Piezoelectric Sound Components”, page 25,

http://www.murata.com/products/catalog/pdf/p37e.pdf
43. G Elert, “The Nature of Sound”, The Physics Hypertextbook, http://physics.info/sound
124
44. H Asgha, S Li, J Pieprzyk, & H Wang, (2011). “Cryptanalysis of the Convex Hull Click
Human Identification Protocol”, Information Security, pp 24-30.
45. X Bai, W Gu, S Chellappan, X Wang, D Xuan, & B Ma (2008), “PAS: Predicate-Based
Authentication Services Against Powerful Passive Adversaries”, Computer Security
Applications Conference, ACSAC 2008, pp 433-442.
46. R Biddle, S Chiasson, & P Van Oorschot, (2011), “Graphical Passwords: Learning from
the First Twelve Years”, ACM Computing Surveys, 44(4).
47. P Golle, & D Wagner, (2007), Cryptanalysis of a Cognitive Authentication Scheme”, IEEE
Conference on Security and Privacy, SP'07, pp 66-70.
48. JA Haskett (1984), “Pass-Algorithms: A User Validation Scheme Based on Knowledge of

Secret Algorithms”, Communications of the ACM 27(8), 777-781.
49. "HIPs." HIPs. N.p., n.d. Web. 26 July 2012. http://www.aladdin.cs.cmu.edu/hips/
50. D Hong, S Man, B Hawes, & M Mathews (2004), “A Graphical Password Scheme Strongly
Resistant to Spyware”, Proceedings the of International Conference on Security and
Management, Las Vegas, NV.
51. N Hopper, & M Blum, (2001), “Secure Human Identification Protocols”, Advances in
Cryptology—ASIACRYPT 2001, pp 52-66.
52. H Jameel, H Lee, & S Lee, (2007), “Using Image Attributes for Human Identification
Protocols”, Arxiv Preprint arXiv:0704.2295,
53. H Jameel, R Shaikh, L Hung, Y Wei, S Raazi, N Canh, et al. (2009), “Image-Feature Based
Human Identification Protocols on Limited Display Devices”, Information Security
Applications, pp 211-224.
54. S Li, H Asghar, J Pieprzyk, AR Sadeghi, et al. (2009), “On the Security of PAS (Predicate-
Based Authentication Service)”, Computer Security Applications Conference, 2009.
ACSAC'09, pp 209-218.
55. S Wiedenbeck, J Waters, L Sobrado, & JC Birget (2006), “Design and Evaluation of a
Shoulder-Surfing Resistant Graphical Password Scheme”, Proceedings of the Working
Conference on Advanced Visual Interfaces, pp 177-184.
56. RG Johnston, “An Anti-Counterfeiting Strategy Using Numeric Tokens”, International

Journal of Pharmaceutical Medicine 19, 163-171 (2005).
57. RG Johnston, ARE Garcia, RK Martinez, and ET Baca (1999), "Sealed-Container

Sampling Tools", Practice Periodical of Hazardous, Toxic, and Radioactive Waste Mgmt. 3,
18-22 (1999).
125
58. RG Johnston, J Vetrone, and JS Warner, “Sticky Bomb Detection with Other Implications
for Vehicle Security”, Journal of Physical Security 4(1), 36-46 (2010).
126

Unconventional Security Devices

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Unconventional Security Devices

Hochgeladen von

Copyright:

Verfügbare Formate

Journal of Physical Security 7(3), 62-126 (2014)

Unconventional Security Devices*

Roger G. Johnston, Ph.D., CPP and Jon S. Warner, Ph.D.

Vulnerability Assessment Team

Tamper-indicating seals play an important role in nuclear safeguards, physical security,

Device #1 - Time “Lock”

Type: electronic, reusable time-out seal

Oddly, small battery-powered, padlock-size time locks do not seem to be commercially

The device shown in figure 1 is a re-usable, electronic, tamper-indicating seal we

Device #2 - Time Trap

Type: hash time trap (anti-evidence, covert tamper-indicating seal)

As discussed elsewhere in more detail[1,16,17], a Time Trap is a type of anti-evidence

Figure 2 - One design for our working prototype Time Trap.

Other possible sensors include:

hall effect magnetometer $0.85

Device #3 - Flashing Lights Seal

Type: password (anti-evidence) seal

Device #4 - Blinking Lights Saturation Seal

Type: saturated response (anti-evidence) trap

• All 3 of the LEDs turn on or off in unison.

Device #5 - Talking Truck Cargo Seal

Type: password (anti-evidence) seal

Applications: high level security

• The “go” in cargo.

Device #6 - Triboluminescent Seal

Type: password (anti-evidence) seal

Triboluminescence is the phenomenon where a material produces light (visible,

Device #7 - Magic Slate Seal

Type: password (anti-evidence) seal

Perhaps surprisingly, anti-evidence password seals do not need to be electronic. See

Figure 13 - Exploded view of a different prototype Magic Slate Seal.

Figure 14 - End-on view of a prototype Magic Slate Seal.

There are several options for reusing the seal:

Device #8 - Skunk Seal

Type: novel conventional seal

It is also possible to use commercial, hand-held, battery-powered organic vapor

Device #9 - Anti-Evidence Skunk Seal

Type: password (anti-evidence) seal

Device #10 - Inverse Skunk Seal

Type: novel conventional seal

Device #11 - Anti-Evidence Inverse Skunk Seal

Type: password (anti-evidence) seal

Device #12 - MagTag

Type: complexity (anti-evidence) seal (and tag)

For a sufficiently complex configuration of magnets inside the container, an adversary

distance from minimum detectable minimum detectable

Some of the attractive attributes of MagTag include:

• In addition to detecting tampering, the arrangement of magnets also serves as a kind

Device #13 - Tempered Glass Seal

Type: novel conventional seal

Device #14 - Glass and Powder Seal

Type: complexity (anti-evidence) seal

Device #15 - Glass Rivet

Type: novel conventional seal or complexity seal

Figure 19 - Transportainer showing a lock on the handle. The arrow points

Figure 20 - Glass Rivet with internal locking ring, shown

Device #16 - Haspless Plug Seal

Type: novel conventional seal or lock

Device #17 - E-Cup Insert

Type: enhancement of conventional seals, particular the metal (E-cup) seal

Device #18 - Multi-Strand Wire Loop Seal

Type: enhancement of conventional wire loop seals

Device #19 - Tie-Dye Seal

Type: novel conventional seal or complexity seal